Fraud Management & Cybercrime
,
Healthcare
,
Industry Specific
New Ransomware Group Appears to Be an Offshoot of Defunct Avaddon Gang
Federal authorities are warning the healthcare and public health sector of threats involving NoEscape, a relatively new multi-extortion ransomware-as-a-service group believed to be a successor to the defunct Russian-speaking Avaddon gang.
See Also: Challenges and Solutions in MSSP-Driven Governance, Risk, and Compliance for Growing Organizations
Since emerging in May 2023, NoEscape is a “formidable adversary” has been targeting a variety of industries with “aggressive” multi-extortion attacks, warned the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center on Thursday.
While the group’s primary focus so far appears to be on professional services, manufacturing and information services organizations – it has also launched attacks on private healthcare and public health organizations.
Threat monitoring firm Darkfeed has counted a total of 77 NoEscape attack victims as of Friday.
NoEscape extortion demands have ranged between hundreds of thousands of dollars to over $10 million, HHS HC3 said.
“NoEscape may be new to the cyber threat landscape, but in its short existence, it has proven to be a formidable adversary,” HHS HC3 writes. “The value of healthcare and public health data, in particular, signals that the healthcare industry will remain a viable target.”
Attacks by the group have included three-pronged extortion involving data exfiltration and encryption combined with distributed denial of service attacks in an attempt to disrupt victims’ operations and pressuring the organization to pay up, HHS HC3 said.
The NoEscape operators offers the DDoS service to affiliates for an extra $500,000 fee, with conditions that forbid striking entities located in Commonwealth of Independent States, or ex-Soviet Union republics, HHS HC3 said.
The group also lists victims on its dark web blog and threatens to leak stolen data unless it receives a ransom (see: Tattletale Ransomware Gangs Threaten to Reveal GDPR Breaches).
Growing Threats
NoEscape is among several recently emerging ransomware gangs – or offshoot groups – targeting healthcare sector entities and other industries.
Other such groups include Akira, a RaaS threat actor that surfaced about six months ago and has been linked to several dozen attacks on predominately small and midsized organizations across many industries. HHS HC3 also recently issued a warning about Akira (see: Feds Warn Healthcare Sector of Akira Ransomware Threats).
“The ransomware problem is as bad as it ever has been, if not worse,” said threat analyst Brett Callow of security firm Emsisoft.
“We really need new counter-ransomware strategies as the current ones are very clearly not working,” he said.
Callow said governments need to bolster reporting and disclosure requirements so policymakers can get a better handle on what’s working. The government also should consider restricting the circumstances in which ransom demands can be paid, he said.
“That last point is contentious, but at this point it’s something governments need to be seriously thinking about,” he said.
No Escape Traits
The developers of NoEscape ransomware are unknown but they claim to have created their malware and associated infrastructure “entirely from scratch,” HHS HC3 said.
But security researchers have noted that the ransomware encryptors of NoEscape and Avaddon’s are nearly identical, with only one notable change in encryption algorithms, HHS HC3 wrote.
“Previously, the Avaddon encryptor utilized AES for file encryption, with NoEscape switching to the Salsa20 algorithm. Otherwise, the encryptors are virtually identical, with the encryption logic and file formats almost identical, including a unique way of ‘chunking of the RSA-encrypted blobs.’”
While researchers have observed evidence suggesting that NoEscape is related to Avaddon, unlike Avaddon, it has yet to be determined if there is a free NoEscapte decryptor that organizations can utilize to recover the encrypted files, HHS HC3 said.
“Until then, unless certain detection and prevention method are put in place, a successful exploitation by NoEscape ransomware will almost certainly result in the encryption and exfiltration of significant quantities of data.”
Prevention and mitigation steps that can help protect entities against NoEscape ransomware attacks include maintaining regular backups of critical data and preferably storing the backups offline; keeping software and patches up to date; using multifactor authentication; implementing firewalls and monitoring incoming and outgoing network traffic; and having a well-defined incident response plan in place, HHS HC3 recommended.