NoEscape Ransomware Emerges, Targeting Healthcare

October 16, 2023 - The Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note regarding NoEscape ransomware, a new threat to healthcare and other industries. Although just two healthcare victims have been claimed by the group so far, NoEscape’s willingness to target healthcare is worrisome for the sector.

NoEscape only emerged in May 2023 but has already made a name for itself by using aggressive tactics to extort victims. NoEscape is believed to be a successor of Avaddon, a ransomware group that was shut down in 2021.

“Unlike many of its contemporaries, however, the unknown developers of this ransomware claim that in lieu of using source code or leaks from other established ransomware families, they have constructed their malware and its associated infrastructure entirely from scratch,” HC3 noted.

The Ransomware-as-a-Service (RaaS) group has been observed encrypting files on a victim’s computer and demanding ransoms, as well as providing services to fellow cybercriminals.

HC3 provided technical details about the group’s tactics that healthcare defenders can use to gain knowledge about the group’s techniques. For example, HC3 noted that the group can only execute on a Windows NT 10.0 operating system, but it is capable of encrypting data on Windows and Linux machines, along with VMware ESXi.

Nearly a quarter of NoEscape’s observed attacks have been targeted at US-based organizations and has been known to demand ransoms ranging from hundreds of thousands of dollars to more than $10 million.

“Since NoEscape operates as a RaaS, its targets vary depending on the affiliate and the buyer. Its creators, like many ransomware gangs, do not target Commonwealth of Independent States (CIS), or ex-Soviet Union republics, while disproportionately targeting the United States and several European countries as its preferred victims,” the analyst note continued.

“The service allows operators and affiliates to take advantage of multi-extortion tactics, including triple extortion methods to maximize the impact of a successful attack,” HC3 continued.

HC3 recommended that defenders continue to prioritize ransomware mitigations, such as regular software updates, backups, and strong passwords. As always, employee education and training remains crucial to reducing risk.

“The probability of cyber threat actors targeting any industry remains high, but especially so for the Healthcare and Public Health sector,” HC3 warned. “Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations.”