www.fortinet.com
Open in
urlscan Pro
3.123.216.247
Public Scan
URL:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-noescape
Submission: On November 22 via api from DE — Scanned from DE
Submission: On November 22 via api from DE — Scanned from DE
Form analysis 1 forms found in the DOM
GET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>Text Content
Blog
* Categories
* Business & Technology
* FortiGuard Labs Threat Research
* Industry Trends
* Partners
* Customer Stories
* PSIRT Blogs
* Business & Technology
* FortiGuard Labs Threat Research
* Industry Trends
* Partners
* Customer Stories
* PSIRT Blogs
* CISO Collective
* Subscribe
FortiGuard Labs Threat Research
RANSOMWARE ROUNDUP – NOESCAPE
By Shunichi Imano and Fred Gutierrez | November 14, 2023
* Article Contents
* NoEscape Ransomware Overview
Infection VectorVictimologyNoEscape Ransomware ExecutionData Leak Site
* Fortinet Protections
* IOCs
File IOCs
* FortiGuard Labs Guidance
Best Practices Include Not Paying a Ransom
* How Fortinet Can Help
By Shunichi Imano and Fred Gutierrez | November 14, 2023
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of
interest that have been gaining traction within our datasets and the OSINT
community. The Ransomware Roundup report aims to provide readers with brief
insights into the evolving ransomware landscape and the Fortinet solutions that
protect against those variants.
This edition of the Ransomware Roundup covers the NoEscape ransomware.
Affected platforms: Microsoft Windows, Linux, and ESXi
Impacted parties: Microsoft Windows, Linux, and ESXi Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file
decryption
Severity level: High
NOESCAPE RANSOMWARE OVERVIEW
NoEscape is a financially motivated ransomware group that emerged in May 2023.
The group runs a Ransomware-as-a-Service program. The developer creates and
provides necessary pre- and post-infection tools for affiliates to perform
malicious activities such as compromising victims, data exfiltration, and
encryptor (ransomware) deployments. The group has victimized numerous
organizations across multiple industries, including government, energy,
hospitals, and physicians’ clinics. The NoEscape ransomware group is believed to
be related to the now-defunct Avaddon ransomware group.
INFECTION VECTOR
Information on the infection vector used by the NoEscape ransomware threat actor
is not currently available. However, it is not likely to differ significantly
from other ransomware groups.
VICTIMOLOGY
According to data collected through Fortinet's FortiRecon service, the NoEscape
ransomware group has targeted multiple industry verticals (Figure 1). Business
services were most impacted by the ransomware, followed by the manufacturing and
retail sectors. Victims of the NoEscape ransomware also include government
organizations, hospitals, and medical clinics.
When victim organizations are ranked according to country (Figure 2), the United
States leads by a wide margin.
Figure 1: Top sectors targeted by the NoEscape ransomware (source: FortiRecon)
Figure 2: Top country victimized by the NoEscape ransomware (source: FortiRecon)
As of November 3, 2023, the NoEscape ransomware group had last posted new
victims on October 27th.
NOESCAPE RANSOMWARE EXECUTION
Once a network has been compromised and data has been exfiltrated, the NoEscape
attacker deploys and runs a file encryptor, which terminates the following
services and processes:
Figure 3: Services terminated by the NoEscape ransomware
Figure 4: Processes terminated by the NoEscape ransomware
The ransomware encrypts files on the compromised systems and appends a “.[random
10-character uppercase alphabet]” extension to the affected files.
The ransomware avoids encrypting the following file extensions:
Figure 5: File extensions that the NoEscape ransomware avoids to encrypt
The NoEscape ransomware also exempts the following directories from file
encryption:
Figure 6: File directories that the NoEscape ransomware avoids encrypting
It then leaves a ransom note titled “HOW_TO_RECOVER_FILES.txt.” The ransom note
instructs victims to visit a TOR site for further instructions. The actual
ransom negotiation takes place on TOX. It also insists that the NoEscape
ransomware group is financially driven and is not politically motivated.
Figure 7: Files encrypted by the NoEscape ransomware and its ransom note
Figure 8: NoEscape ransomware’s ransom note
The NoEscape ransomware has variants that affect Linux and VMware ESXi.
DATA LEAK SITE
The NoEscape ransomware group owns a TOR site where victims can contact the
threat actor. Stolen information and a list of victims are also posted there.
Victims are instructed to visit the TOR site below and enter the unique personal
ID listed on the ransom note.
Figure 9: The NoEscape ransomware’s TOR site that victims are instructed to
visit
Figure 10: The contact form on the NoEscape ransomware’s TOR site
As of November 3, the “NoEscape” blog lists 20 active NoEscape ransomware
victims.
Figure 11: Active NoEscape ransomware victims listed on the TOR site
Figure 12: NoEscape ransomware victims whose "negotiations" have ended
If victims do not comply with the attacker's request, another message is added
to the page assigned to each victim urging action. Some of those messages are
below:
Figure 13: One of the messages added to the victim’s unique page
Figure 14: Another message added to the victim’s unique page
FORTINET PROTECTIONS
Fortinet customers are already protected from this malware variant through our
AntiVirus and FortiEDR services, as follows:
FortiGuard Labs detects the NoEscape ransomware samples with the following AV
signatures:
* W32/Avaddon.H!tr.ransom
* W32/Filecoder_Avaddon.E!tr.ransom
* W32/Filecoder_Avaddon.H!tr
* W32/Filecoder_Avaddon.H!tr.ransom
* Linux/Filecoder_NoEscape.A!tr
* Linux/Filecoder_NoEscape.B!tr
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail,
FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus
updates are also protected.
IOCS
FILE IOCS
SHA2
Note
0073414c5a03b20f6f255f400291de67f2a7268c461f90ea6ff0355ca31af07a
Windows version of NoEscape ransomware
2020cae5115b6980d6423d59492b99e6aaa945a2230b7379c2f8ae3f54e1efd5
4175dae9b268fe5b4f96055ea0376417b5ddc2518d3bd11e20f0f8255bb4621e
4d7da1654f9047b6c6a9d32564a66684407ed587cbaffa54ec1185fd73293d3e
5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d
53f5c2f70374696ff12adcaaf1bbbe0e5dd1b1995d98f2e876b0671888b43128
62205bf0a23e56524f2f1c44897f809457ad26bc70810008ec5486e17c7e64e2
68bce3a400721d758560273ae024f61603b8a4986440a8ec9e28305d7e6d02b0
68ff9855262b7a9c27e349c5e3bf68b2fc9f9ca32a9d2b844f2265dccd2bc0d8
73c19eab8d2ae58db3968dd7de0e745db2d7709859305b113b748bb02494465e
831a2409d45d0c7f15b7f31eddbbdfe7d58414499e81b3da7d9fdee28fafe646
8dd64ea7f226d3eb1e857b0086c0668542652cb37f8142dc000272dbd9569e31
91c515d55fae6d21b106c8c55067ce53d42bef256bd5a385cadd104cf68f64ff
9d346518330eeefbf288aeca7b2b6243bc158415c7fee3f2c19694f0e5f7d51c
10d2b5f7d8966d5baeb06971dd154dc378496f4e5faf6d33e4861cd7a26c91d7
Linux version of NoEscape ransomware
21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da
46f1a4c77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561
c34c5dd4a58048d7fd164e500c014d16befa956c0bce7cae559081d57f63a243
FORTIGUARD LABS GUIDANCE
Due to the ease of disruption, damage to daily operations, potential impact on
an organization’s reputation, and the unwanted destruction or release of
personally identifiable information (PII), etc., it is vital to keep all AV and
IPS signatures up to date.
Since the majority of ransomware is delivered via phishing, organizations should
consider leveraging Fortinet solutions designed to train users to understand and
detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help
organizations test user awareness and vigilance to phishing threats and to train
and reinforce proper practices when users encounter targeted phishing attacks.
Our FREE NSE training: NSE 1 – Information Security Awareness includes a module
on internet threats designed to help end users learn how to identify and protect
themselves from various types of phishing attacks and can be easily added to
internal training programs.
Organizations will need to make foundational changes to the frequency, location,
and security of their data backups to effectively deal with the evolving and
rapidly expanding risk of ransomware. When coupled with digital supply chain
compromise and a workforce telecommuting into the network, there is a real risk
that attacks can come from anywhere. Cloud-based security solutions, such
as SASE, to protect off-network devices; advanced endpoint security, such
as EDR (endpoint detection and response) solutions that can disrupt malware
mid-attack; and Zero Trust Access and network segmentation strategies that
restrict access to applications and resources based on policy and context,
should all be investigated to minimize risk and to reduce the impact of a
successful ransomware attack.
As part of the industry's leading fully integrated Security Fabric, delivering
native synergy and automation across your security ecosystem, Fortinet also
provides an extensive portfolio of technology and human-based as-a-service
offerings. These services are powered by our global FortiGuard team of seasoned
cybersecurity experts.
BEST PRACTICES INCLUDE NOT PAYING A RANSOM
Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims
against paying a ransom partly because the payment does not guarantee that files
will be recovered. According to a US Department of Treasury's Office of Foreign
Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to
target additional organizations, encourage other criminal actors to distribute
ransomware, and/or fund illicit activities that could potentially be illegal.
For organizations and individuals affected by ransomware, the FBI has a
Ransomware Complaint page where victims can submit samples of ransomware
activity via their Internet Crimes Complaint Center (IC3).
HOW FORTINET CAN HELP
FortiGuard Labs’ Emergency Incident Response Service provides rapid and
effective response when an incident is detected. Our Incident Readiness
Subscription Service provides tools and guidance to help you better prepare for
a cyber incident through readiness assessments, IR playbook development, and IR
playbook testing (tabletop exercises).
Additionally, FortiRecon Digital Risk Protection (DRP), is a SaaS-based service
that provides a view of what adversaries are seeing, doing, and planning, to
help you counter attacks at the reconnaissance phase and significantly reduce
the risk, time, and cost of later-stage threat mitigation.
Tags:
Ransomware Roundup, ransomware-as-a-service
RELATED POSTS
FortiGuard Labs Threat Research
RANSOMWARE ROUNDUP - KNIGHT
FortiGuard Labs Threat Research
RANSOMWARE ROUNDUP - AKIRA
FortiGuard Labs Threat Research
RANSOMWARE ROUNDUP - RETCH AND S.H.O.
*
*
*
*
*
*
NEWS & ARTICLES
* News Releases
* News Articles
SECURITY RESEARCH
* Threat Research
* FortiGuard Labs
* Threat Map
* Ransomware Prevention
CONNECT WITH US
* Fortinet Community
* Partner Portal
* Investor Relations
* Product Certifications
COMPANY
* About Us
* Exec Mgmt
* Careers
* Training
* Events
* Industry Awards
* Social Responsibility
* CyberGlossary
* Sitemap
* Blog Sitemap
CONTACT US
* (866) 868-3678
Copyright © 2023 Fortinet, Inc. All Rights Reserved
Terms of Services Privacy Policy | Cookie Settings
COOKIE PREFERENCE CENTER
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* PERFORMANCE COOKIES
* FUNCTIONAL COOKIES
* TARGETING COOKIES
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking certain cookies in the Functional category may impact your
experience of the site and the services we are able to offer. privacy policy
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They are based on uniquely identifying your
browser and internet device. If you do not allow these cookies, you will
experience less targeted advertising.
Cookies Details
BACK BUTTON BACK
Vendor Search
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
* 33ACROSS
33ACROSS
View Third Party Cookies
* Name
cookie name
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All
COOKIE SETTINGS
By clicking “Accept All”, you agree to use of cookies on your device to enhance
site functionality, analyze site usage, and assist in our marketing efforts. The
Cookies Settings link has cookie-specific detail and preference options. privacy
policy
Reject All Accept All
Cookies Settings