5 min Security

Meet NoEscape, the return of the Avaddon RaaS gang

Meet NoEscape, the return of the Avaddon RaaS gang

With NoEscape, the ransomware gang Avaddon, which has claimed victims in the past, appears to be returning. Since June 2023, NoEscape has been attacking large companies with double-extortion techniques. The cybercriminals steal data and encrypt files on Windows, Linux and VMware ESXi servers. How serious is the threat? We dive into the new ransomware attack.

The important thing to know about NoEscape is that it is malicious software that encrypts files to make them inaccessible. Companies victimized by the ransomware can no longer access the files. The attackers also steal the data to threaten to make it public. Only against payment will NoEscape not publish the data. The ransom would be from hundreds of thousands to millions of dollars, BleepingComputer knows. Even ransom amounts of more than $10 million (about 8.9 million euros) are common.

History as Avaddon

Interestingly, NoEscape appears to herald the return of Avaddon, a ransomware-as-a-service (RaaS). RaaS is developed by cybercriminals with extensive experience, who then offer the malicious software as a service. They also offer support and payment options. A buyer of ransomware-as-a-service then executes the attack. This lowers the barrier to executing a ransomware attack, while also allowing criminals to make hefty money. A RaaS buyer typically remits a portion of the ransomware amount paid to the ransomware operator or pays a license.

Avaddon emerged in early 2019 and applies double-extortion, according to an analysis by SentinelOne. That is, it demands a ransom for decryption as well as not publicly releasing the stolen data. At the time, Avaddon became popular primarily by offering higher profit rates to RaaS customers compared to other RaaS services.

In the past, the ransomware already targeted different types of organizations. For example, in healthcare, government, financial services, legal, hospitality, education and retail. However, some Avaddon customers targeted individuals rather than large companies. The RaaS services also wanted to prevent attacks in certain countries of the former Soviet Union and had control mechanisms built in for that purpose.

In 2021, Avaddon stopped and decryption keys were released to all victims.

Rebranding

NoEscape also spares former Soviet Union countries. If they are victims, they can expect free decryption keys. Currently, the ransomware gang has published about 10 companies from different countries and industries as victims, indicating a broad attack surface once again. The size of the leaked data ranges from 3.7 GB to 111 GB.

Avaddon had not been detected since June 2021 until NoEscape suddenly surfaced last month. BleepingComputer makes the connection based on analysis by ID Ransomware creator and ransomware expert Michael Gillespie.

The NoEscape and Avaddon encryptors are nearly identical, according to these security experts. There is only one change in the encryption algorithm: Avaddon used AES to encrypt files, while NoEscape uses the Salsa20 algorithm.

NoEscape uses the same encryption logic and file formats as Avaddon. This uses a unique method that “splits the RSA encrypted blobs.” Further investigation based on an analysis by Mandiant shows that both Avaddon and NoEscape encryptors also use the same configuration file and directives.

No escape

NoEscape’s overall tactic is similar to that of other ransomware attacks. It gains access to a corporate network to then spread further and tries to gain access to other devices. Once it gains access to Windows domain management credentials, NoEscape spreads the ransomware across the network. Before the double-extortion tactic reaches the stage of encrypting files, it steals corporate data.

The malware sample shows that NoEscape executes a command to delete Windows Shadow Volume Copies and local Windows backup catalogs. It also attempts to disable automatic Windows recovery. It also disables various processes and services, including security software, backup applications, Web and database servers, QuickBooks and virtual machine platforms. During file locking, the encryptor uses the Windows Restart Manager API to close processes or shut down Windows services that can keep a file open and prevent encryption.

NoEscape can use three modes during encryption: full, partial or chunked. “Full” encrypts entire files, “partial” encrypts a certain amount of megabytes, and “chunked” applies encryption to small pieces of data.

Eventually, NoEscape displays a message reporting an infection of the corporate network. “All files have been encrypted and stolen!” the message warns. Next is a .txt file saying, “We are not a political company and we are not interested in your private affairs. We are a commercial company and we are only interested in money.”

After payment, victims get a decryptor for Windows XP, all other Windows versions and Linux. For large organizations using VMware ESXi, NoEscape offers an additional shell script for recovery. However, as is often the case with ransomware, the question is whether it is wise to pay.

The similarities may indicate several things. The NoEscape operators may have purchased the source code of the Avaddon encryptor. However, researchers BleepingComputer spoke to believe that a number of key players from the Avaddon campaign have joined the new NoEscape group. As a result, it seems that after a period of absence from Avaddon, businesses are once again affected by this ransomware and cannot simply escape from the hands of NoEscape.

Tip: New ransomware disguises itself as Windows update