NEWSFLASH: NoEscape Unleashes Havoc in Healthcare

Overview

A formidable new Ransomware-as-a-Service (RaaS) group, known as NoEscape, has emerged as a rebrand of the Russian threat actor Avaddon. NoEscape, identified by the US Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HHS HC3), exhibits unique features and employs aggressive multi-extortion tactics. The group has been observed targeting organizations in professional services, manufacturing, and information industries, with a particularly worrisome focus on the healthcare and public health sector. NoEscape gains access to networks through various means, such as phishing emails or compromised servers. Initial signs of compromise may include unusual network activity, unauthorized access attempts, or suspicious files.

Impact

Upon infiltrating a network, NoEscape leaves a note on the victim's computer, establishing a communication channel with instructions for engaging with the ransomware developers. Victims are required to pay a ransom in cryptocurrency, with amounts varying based on the severity of the attack. Preferred victims are organizations in the US and Europe. NoEscape employs multi-extortion tactics, offering an option that combines data exfiltration and encryption with DDoS attacks for an additional fee. This approach maximizes the impact of successful attacks. HHS HC3 has drawn parallels between NoEscape and the now defunct Avaddon gangs, highlighting encryption similarities, configuration overlaps, tactical resemblances, and geographical exemptions.

Tactics and Techniques

From MITRE ATT&CK®, an open knowledge base of adversary tactics and techniques, this section is intended to provide access to in-depth techniques and tactics NoEscape is thought to use on their adversaries.

Initial Access:

1. External Remote Services (T1133)
2. Valid Accounts (T1078)

Execution:

1. User Execution: (T1204.002)
2. Scheduled Task/Job (T1053.005)

Persistence:

1. Registry Run Keys/Startup Folder (T1547.001)
2. Valid Accounts (T1078)

Privilege Escalation:

1. Valid Accounts (T1078)

Defense Evasion:

1. Disable or Modify Tools (T1562.001)
2. Software Packing (T1027.002)
3. Process Injection (T1055)
4. Indicator Removal on Host (T1070.004)
5. Modify Registry (T1112)
6. Deobfuscate/Decode File or Information (T1140)
7. Virtualization/Sandbox Evasion (T1497.001)

Credential Access:

1. OS Credential Dumping (T1003)

Discovery:

1. Account Discovery (T1078)
2. Domain Trust Discovery (T1482)
3. Permissions Group Discovery (T1069)

Lateral Movement:

1. Remote Services (T1021)
2. Remote Desktop Protocol (T1021.001)

Collection:

1. Archive via Utility (T1560.001)

Command and Control

1. Web Protocols (T1071.001)
2. Exfiltration to Cloud Storage (T1567.002)

Recommendations/Mitigations

It's essential to evaluate the adequacy and effectiveness of an organization’s incident response plan using tried and tested tabletop exercises for preparation, to contain any potential incident with least business impact. Communication with stakeholders, including executives, employees, customers, and regulatory bodies, is crucial.

In addition to this, Access Point urges organizations to maintain offline backups of critical data, keep all software up to date, implement robust email security controls and provide phishing awareness training, utilize strong passwords and enable multi-factor authentication, establish a well-defined ransomware incident response plan, and deploy network security measures such as firewalls for monitoring and control.