The summary reveals that NoEscape is a newly emerged ransomware operation, believed to be a rebrand of Avaddon, which shut down in 2021 and released decryption keys. NoEscape began its operations in June 2023, targeting enterprises with double-extortion attacks. The ransomware gang steals data and encrypts files on various servers, including Windows, Linux, and VMware ESXi.
They threaten to publicly release stolen data unless a ransom is paid, with demands ranging from hundreds of thousands to over $10 million. Unlike some other ransomware gangs, NoEscape refrains from targeting CIS countries and offers free decryptors to victims from these regions.
NoEscape appears to share significant similarities with Avaddon’s ransomware encryptors, indicating a possible connection between the two operations. There are only slight differences in their encryption algorithms. The ransomware terminates processes and Windows services associated with security software, backup applications, and more, to ensure files are not locked during encryption.
It uses the Salsa20 algorithm for encryption, appending a unique 10-character extension to encrypted files. NoEscape also replaces the victim’s Windows wallpaper with instructions in ransom notes named HOW_TO_RECOVER_FILES.txt, which contain links to the NoEscape Tor payment site.
The ransomware operation aims to extort enterprises by stealing data before encrypting files and threatening to disclose it if a ransom is not paid. While the ransomware is being analyzed for weaknesses, it’s recommended not to pay the ransom until a free decryptor is verified to recover files effectively.
