Low-profile Threat Actor observed imitating NoEscape Ransomware

Key Takeaways

  • Cyble Research & Intelligence Labs (CRIL) discovered a BAT file interacting with an open directory.
  • Further investigation suggested that the batch file acts as a downloader for ransomware.
  • Our investigation indicates that the Threat Actor was actively testing the PowerShell-based ransomware, as evidenced by its evolution during our analysis.
  • This ransomware variant employs SMB shares for both data exfiltration and the distribution of ransom notes.
  • A differentiating factor between this ransomware variant and others is that it refrains from renaming files while masquerading as NoEscape Ransomware, which is evident from the ransom note dropped. This is further supported by the TA not including any communication channels or leak sites.
  • In addition to the ransom note demanding 30 Bitcoin, the TA also claims to have compromised an educational institution.
  • CRIL has already reported on an existing NoEscape ransomware variant in the past. This variant operates on a Ransomware-as-a-Service (RaaS) model and uses double extortion.


Cyble Research & Intelligence Labs (CRIL) discovered an archive containing a batch file on VirusTotal.

Figure 1 – File on VirusTotal

Upon further examination of this batch file, we noticed that the PowerShell script was evolving over a period of 2 days. This indicates that the TA was likely engaged in testing the ransomware.

To conduct this testing, the TA utilized SMB share to exfiltrate data and also deliver files to encrypt the victim’s system. SMB share is also used to deliver the ransom note to victim systems.

Figure 2 – Open Directory

The contents of the ransom note indicate a potential imitation of the NoEscape ransomware, which is evident from the ransom note that clearly states “NoEscape” on the top.

It is worth mentioning that the ransom demand specifies 30 Bitcoins, amounting to approximately USD 780,000, and claims to have compromised a university.

Here are our observations about the evolution of the ransomware:

  • Initially, this ransomware was exfiltrating and encrypting files with specific file extensions, and the encryption keys retrieved from a remote server were in plain text.
  • As the testing progressed, the TA introduced over 70 additional file extensions to the encryption process (as shown in Figure 3).
  • The encryption keys were encoded in Base64. The TA also added a feature to identify the victim’s public IP address as part of an enhancement.
Figure 3 – Added File Extensions

After encrypting the files, the ransom note is fetched from an SMB share and displayed using Notepad.exe. The figure below shows the process tree.

Figure 4 – Process Tree

Technical Analysis

The infection begins with a batch file, which has a double extension named “Readme.txt.bat”. The TA has employed such a naming tactic to deceive users into believing the file is innocuous, whereas, in reality, it is a malicious batch script.

This batch script connects to a remote SMB share using Windows’ net utility. This retrieves a PowerShell script file “combined.ps1” and executes it.

Figure 5 – Batch Script

The content of the PowerShell script has been encoded using reverse Base64 encoding. This technique is used to obfuscate the data’s true nature or evade detection, as shown in the figure below.

Figure 6 – Obfuscated PowerShell Script

This PowerShell script is composed of three main code blocks, each serving distinct functions.

Code Block 1: Data Exfiltration

In this code block, an array named $fileTypes is defined to list various file extensions. These extensions will be targeted by a script for exfiltration followed by encryption.

The script targets the following file extensions:

.pdf .csv .svg .kdbx .crt
.txt .xml .msg .tiff .cer
.xls .json .zip .key .pfx
.mdb .yml .bak .seed .ssh
.sql .yaml .wallet .qbw .conf
.doc .rtf .ods .pay .pst
.docx .psd .odt .ifx .ost
.ppt .ai .jks .sage .eml
.pptx .indd .db .sds .qbb
.xlsx .dwg .dat .123 .qbw
.accdb .dxf .keystore .peachtree .rdp
.odt .skp .snt .ini .config
.ods .cad .qfx .aws .htpasswd
.odp .eps .qb .credentials
.odb .ps .1password .ovpn


Additionally, an SMB share path, \\207.38.198[.]187\Exchange\BETO\1, is assigned to the variable $smbShare, and the script retrieves the victim’s public IP address using a GET request to ‘hxxp://’.

Then, a new SMB share path is created by combining $smbShare with the victim’s IP address, and the script checks whether this directory exists. If the directory doesn’t exist, it is created using the New-Item cmdlet.

The figure below shows Code Block 1.

Figure 7 – Code Block 1 – Creating Directory

The TA employs the creation of these directories to distinguish exfiltrated data originating from various victims, thereby implementing an approach of data categorization.

The figure below shows the code for data exfiltration.

Figure 8 – Data Exfiltration

This PowerShell script iterates through all available local drives, and for each drive, it scans for files of specified types listed in the $fileTypes variable. This is done by using the Get-ChildItem cmdlet to search for these files recursively within the drive’s root directory.

For each discovered file, the script constructs a destination path within a designated SMB share, creating any required directories along the way.

Code Block 2: File Encryption

This Code Block is designed to perform file encryption on files found on local drives.

It iterates through each available drive using the Get-PSDrive cmdlet, targeting the file types specified in the $fileTypes array.

The script attempts to encrypt each file matching these types using the Rijndael algorithm.

The figure below shows the code for drive enumeration.

Figure 9 – Drive Enumeration

Code block 2 then fetches the Base64 encoded encryption key and Initialization Vector (IV) stored on a remote file within an SMB share: “\\207[.]38.198[.]187\Exchange\BETO\null[.]txt”

Since the encryption keys are stored on a remote server, it is easy to decrypt these files. The following Base64 encoded content is fetched from a remote server:

  • Encryption key = GMOc/5uEaQQJ+3YMvV4kID02RZERA+Ywvihe3DcnXh0=
  • Initialization Vector = d6OJu2qgaW2HfESH/qCvJQ==

This script now decodes the Base64 values and passes them as a parameter to the Rijndael encryption algorithm, as shown below.

Figure 10 – Encryption Algorithm

Notably, unlike other ransomware variants, it refrains from renaming the file after encryption, which can pose a challenge when it comes to distinguishing between an encrypted and an unencrypted file.

The figure below illustrates the encrypted file.

Figure 11 – Encrypted File

Code Block 3: Ransom Note

In the final code block, the script defines a remote file path “\\\Exchange\BETO\RANSOM.txt” and a destination path on the user’s desktop using “[Environment]::GetFolderPath(‘Desktop’)”.

The script then copies the remote ransom note file (RANSOM.txt) to the user’s desktop.

The figure below shows the code to fetch the ransom note.

Figure 12 – Fetching the Ransom Note from the Remote Server

Finally, it opens the copied ransom note file using the Notepad application using the command “Start-Process “notepad.exe” -ArgumentList $destinationPath”.

The figure below shows the ransom note.

Figure 13 – Ransom Note


This ransomware appears to be in a testing phase, as indicated by the evolution we have observed over 2 days. The imitation of the well-known NoEscape ransomware, with its large Bitcoin ransom demand and claims of hacking a university, makes this variant particularly interesting.

What really raised our suspicions, however, is the fact that the ransom note does not mention any website for leaks or ways to communicate. It is also worth mentioning that the attackers didn’t use the same methods as NoEscape, such as using double extortion.

The lack of sophistication is further evident in the accessibility of encryption keys, making it relatively easy to decrypt any encrypted files.

Our Recommendations

  • Implement application whitelisting to restrict the execution of PowerShell scripts to only approved and trusted scripts or locations.
  • Utilize network monitoring tools to continuously monitor SMB traffic for suspicious patterns or anomalies.
  • Set up alerts for unusual SMB connection attempts, excessive failed login attempts, or unexpected data transfers.

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
Execution T1059


Command and Scripting Interpreter

User Execution

Defense Evasion T1027



Obfuscated Files or Information

Indirect Command Execution


Discovery T1083 File and Directory Discovery
Collection T1005


Data from Local System

Automated Collection

Command and Control T1071 Application Layer Protocol
Exfiltration T1041 Exfiltration Over C2 Channel
Impact T1486 Data Encrypted for Impact

Indicators of Compromise (IOCs)

Indicators Indicator Type Description
48dbe4460b65ff1fe59db35575c91d04715c8434d6c24c0c4cdf4545bc09e7d0 SHA256 Malicious BAT File
2e56fc252e32b6a231256b31c615dd0b277952211b5d23ad40263755a5c11d5c SHA256 Malicious BAT File
207.38.198[.]187 IP C&C
hxxp://207.38.198[.]187/Exchange/BETO/combined[.]ps1 URL Malicious URL

Yara Rule

rule BAT_Ransomware_Downloader{


author = “Cyble Research and Intelligence Labs”

description = “Detects BAT file downloading imitator of NoEscape ransomware from SMB Share”

date = “2023-09-01”

os = “Windows”


$a1  = “SMBPath” nocase ascii

$a2  = “\\” ascii

$a4  = “combined.ps1” nocase ascii


all of them



Scroll to Top