The healthcare sector has been warned about a “formidable” new Ransomware-as-a-Service (RaaS) group named NoEscape, which is believed to be a rebrand of Russian threat actor Avaddon.
The gang emerged in May 2023 and has “unique features and aggressive multi-extortion tactics,” according to a US Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HHS HC3) advisory.
NoEscape has so far been observed to target organizations operating in the professional services, manufacturing and information industries. Its “indiscriminate targeting” of the healthcare and public health sector is a “worrisome sign” that more organizations in this field could be targeted soon, the HHS HC3 document warned.
How NoEscape Operates
When NoEscape infiltrates a network, the ransomware leaves a note on the victim’s computer which states that their system has been infected by them. This note serves as a communication channel with specified steps to engage with the ransomware developers.
Victims are required to pay the ransom in cryptocurrency, and the ransom amount varies depending on the severity of the attack and the specific ransomware variant, ranging from hundreds of thousands of dollars to over $10m.
The targets of the ransomware vary depending on the buyer. However, its preferred victims have been identified as US and European orgnaizations.
Multi-extortion tactics to maximize the impact of a successful attack are being used. This includes an option where data exfiltration and encryption is coupled with DDoS attacks against targets This tactics is available for an additional $500,000 fee to those using the RaaS.
NoEscape and Avaddon Gangs Use Similar Tactics
HHS HC3 highlighted several links between NoEscape and the now defunct Avaddon gangs, the latter of which released its decryption keys in 2021. These include:
- Encryption similarities: The advisory noted that the encryption logic and file formats are “strikingly similar.” The primary difference is in the encryption algorithm used, with NoEscape adopting Salsa20, while Avaddon utilized AES.
- Configuration overlaps: Both groups use the same configuration file and directives.
- Tactical resemblance: The threat actors use similar initial access methods and employ multi-extortion tactics.
- Geographical exemptions: Countries of the former Soviet Union are not targeted and any victims from these regions are given free decryption keys.
How to Defend Against NoEscape
The Center set out a range of recommendations to healthcare organizations to protect themselves against NoEscape ransomware. These include:
- Maintaining regular backups of critical data, and store these offline
- Keep all software up to date
- Implement strong email security controls and phishing awareness training
- Use strong passwords for all accounts and enable multi-factor authentication where possible
- Have a well-defined ransomware incident response plan in place to reduce the impact of an attack
- Implement firewalls and other network security measures to monitor and control incoming and outgoing network traffic