A new threat actor has emerged on the underground forums. The Cyble Research & Intelligence Labs (CRIL) uncovered NoEscape Ransomware-as-a-Service (RaaS). This program surfaced on a cybercrime forum in late May 2023 and actively sought affiliates to join it.
What sets NoEscape apart is its claim of being a C++-based ransomware developed entirely in-house, without relying on third-party resources or source codes.
This self-sufficiency gives the operators and affiliates unprecedented control over their malicious activities.
Notably, NoEscape Ransomware-as-a-Service (RaaS)utilizes a triple-extortion technique to maximize its leverage when extorting victims.
What’s unique about NoEscape Ransomware-as-a-Service (RaaS)?
CRIL analyzed the intricate workings of the ‘NoEscape’ Ransomware-as-a-Service (RaaS) program, an exclusive platform vowing to empower blackmail campaigns by leveraging a cutting-edge, homegrown ransomware variant.
Upon analyzes, the researchers made the following observations:
Encryption algorithms
The ransomware used in the NoEscape Ransomware-as-a-Service (RaaS) employs a combination of ChaCha20 and RSA encryption algorithms.
This hybrid-cryptography approach, often utilized by sophisticated ransomware groups, ensures the encryption of files and the protection of encryption keys.
The ransomware encrypts all ChaCha20 keys with a global ChaCha20 key, which is then encrypted with an RSA-2048 public key.
Windows Safe Mode compatibility
The NoEscape Ransomware-as-a-Service (RaaS) campaign supports Windows Safe Mode, allowing the ransomware to turn off endpoint security products and encrypt files by rebooting compromised systems.
By employing this method, the ransomware achieves high efficacy and impact during encryption.
Lateral movement and evasion techniques
NoEscape Ransomware-as-a-Service (RaaS) utilizes asynchronous LAN scanning to identify Distributed File System (DFS) and Server Message Block (SMB) protocols.
This capability enables lateral movement, persistence, and evasion, making it harder for security solutions to detect and mitigate the ransomware’s activities.
Shared encryption
The ransomware employs shared encryption, using a single key to encrypt all files on a network or system instead of assigning a unique key to each file.
This approach allows attackers to expedite the encryption process for large datasets. However, victims can still decrypt their encrypted data in such cases.
The anonymity of Bitcoin transactions
The NoEscape Ransomware-as-a-Service (RaaS) incorporates an integrated service to maintain the anonymity of Bitcoin transactions. However, the specific method employed to prevent tracing Bitcoin transactions remains undisclosed.
Compatibility and configurability
The ransomware employed by the NoEscape Ransomware-as-a-Service (RaaS) hackers is compatible with a wide range of systems, including Windows Desktop XP – 11, Windows Server 2003 – 2022, Linux distributions (such as Ubuntu and Debian-based), and VMware ESXi.
It also offers configurable mode settings, such as Ignore, Fast, Strong, and Balanced, allowing operators to customize the encryption process.
Extensive features for operations
The NoEscape ransomware provides a comprehensive set of features to its affiliates. The administrator’s panel, hosted on Tor, offers automated functionalities.
A fully automated Leak website is also available on Tor. Affiliates can create private chats for secret communication with recovery companies, generate builds with different settings and one key, build their chat support, and access 24/7 support for queries.
The ransomware also includes prompt messages to coerce victims into responding.
Triple-extortion technique
Once NoEscape ransomware infiltrates a network, it spreads laterally, encrypting data and demanding a ransom for its release.
If the ransom is not paid, the operators may sell the stolen data or publish it in public blogs and online forums. This triple-extortion technique adds extra pressure on victims to comply with the attackers’ demands.
Additional extortion services
Notably, the NoEscape Ransomware-as-a-Service (RaaS) operators offer an additional service for DDoS/Spam attacks at a price of USD 500,000. This service provides cybercriminals with another method to threaten and coerce targeted companies into paying the demanded ransom.
Origin and affiliates
The exact origin of NoEscape Ransomware-as-a-Service (RaaS) remains undisclosed. However, certain conditions enforced by the operators prohibit affiliates from targeting entities in the Commonwealth of Independent States (CIS) countries, hinting at a possible connection to Russia or the CIS.
Profit-sharing model
The profit-sharing model of NoEscape Ransomware-as-a-Service (RaaS) incentivizes affiliates based on the payout achieved through their malicious activities.
Affiliates receive 80% of the profit if the payout equals or exceeds USD 1 million, 85% for a payout equal to or exceeding USD 3 million, and 90% for payouts exceeding USD 3 million.
The NoEscape Ransomware-as-a-Service (RaaS) represents a dangerous evolution in cybercrime.
Its robust technical capabilities, triple-extortion methodology, and attractive profit-sharing model make it appealing to cybercriminals seeking to maximize their illicit gains.
The emergence of such sophisticated RaaS programs underscores the need for enhanced cybersecurity measures to protect organizations and individuals from falling victim to these malicious activities.