Indian Computer Emergency Response Team (CERT-In) issued an alert for NoEscape ransomware which is believed to be a rebrand of Avaddon, a ransomware gang that shut down and releases its decryption keys in 2021. The Avaddon ransomware gang used phishing campaigns to target corporate victims.
NoEscape and Avaddon’s ransomware encryptors are almost identical, with only one notable change in their encryption algorithm, CERT-In said in a post.
The Avaddon encryptor utilized AES for file encryption, with NoEscape switching to the Salsa20 algorithm.
The NoEscape ransomware is similarly targeting enterprises in double extortion attacks. As part of the attacks, the threat actors steal data and encrypt files on Windows, Linux, and VMware ESXi servers.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
Cybercriminals then threaten to release stolen data if a ransom is not paid, with reported demands ranging between hundreds of thousands of dollars to over $10 million.
Upen infection the NoEscape ransomware runs a number of commands to delete Windows Shadow Volume, Local Windows backup catalogs, and to turn off Windows automatic repair.
The encryptor then begins terminating processes associated with security software, backup applications, web and database servers.
The ransomware also changes the Windows wallpaper to an image telling victims they can find instructions in the ransomware notes named “How to recover files.txt”. The note contains a “personal ID” required to log in to the threat actor’s Tor payment site and access the victim’s unique negotiation page. Threat actors demand ransom amount to be paid in bitcoins
This page includes the ransom amount in bitcoins, a test decryption feature, and a chat panel to negotiate with the threat actors.
The NoEscape ransomware can also spread laterally to other devices after breaching a corporate network and deploy the ransomware throughout the network.
CERT-In has advised users to maintain offline backups of data, encrypt backups, implement multi-factor–authentication for all services among other measures to avoid falling victim to the ransomware.
COMMents
SHARE