NoEscape RaaS

‘NoEscape’ Ransomware-as-a-Service (RaaS)

A Newly Established Triple-Extortion Affiliate Program

Executive Summary

Cyble Research & Intelligence Labs (CRIL) observed a newly established Ransomware-as-a-Service (Raas) program dubbed ‘NoEscape’ offered in a cybercrime forum at the end of May 2023 and was looking to hire affiliates.

The C++-based ransomware is claimed to be developed indigenously without the use of any third-party resources and source codes. The technical specifications of the RaaS model apparently allow its operators and affiliates to leverage the triple-extortion technique to extort their victims.

Figure 1: NoEscape RaaS Program Advertisement

Observation and Analysis

Our research found the following notable features of the ransomware offered as part of the RaaS program:

  • The malicious build supports ChaCha20 and RSA encryption algorithm. It is a hybrid-cryptography method that sophisticated ransomware groups use to encrypt files and protect their keys. The technique encrypts all the ChaCha20 keys with a global ChaCha20 key before encrypting this global key with its RSA-2048 public key.
  • Supports Windows Safe Mode, where a script implements a series of consecutive commands that reboots the system in Safe Mode and subsequently releases the ransomware. In Safe Mode, the payload can easily disable endpoint security products and encrypt files by rebooting compromised systems. This method has been proven effective and impactful for extortion.
  • The use of asynchronous LAN scanning to identify Distributed File System (DFS) and Server Message Block (SMB) protocols will allow them to perform lateral movement, gain persistence and evade detection.
  • The use of shared encryption involves a single encryption key to encrypt all of the files on a network or system rather than using a unique key for each file. This enables the attacker to speed up encryption for encrypting large datasets. However, in such cases, the decryption of encrypted data by the victim is possible.
  • Integrated service to maintain the anonymity of Bitcoin transactions. However, the method used to prevent tracing Bitcoin transactions was not specified.
  • It is supportedon Windows Desktop XP – 11, Windows Server 2003 – 2022, Linux (including Ubuntu and Debian-based distributions), and VMware ESXi.

Other features:

  • It also supports configurable mode settings:
    • Ignore: ignored and no encryption required.
    • Fast: encrypts the beginning of the file and provides maximum speed.
    • Strong: full encryption of the file.
    • Balanced: fast and secure encryption of the file by spots; spot parameters are calculated in early time depending on the file size.
  • Allows to set priority path for encryption and paths to ignore.
  • Stopping and removing services
  • Terminate selected processes before encryption.
  • Provide support for unmounting VHD drives when they are detected.
  • Provide support for the intelligent shutdown of file-locking processes.

The RaaS program offers the following features for conducting operations:

  • The administrator’s panel is hosted on Tor and has automated functionalities.
  • Full automated Leak website is hosted on Tor with full automation.
  • Ability to create private chats for secret communication with Recovery companies.
  • Ability to generate builds with different settings and one key.
  • Facility to build their own support on chat.
  • Provides 24/7 support for any queries.
  • Prompt messages to persuade the victim to respond to the message.
  • Guest account for access to target chats for network providers and partners.

After spreading laterally throughout the network, it encrypts the data and demands a ransom. If the ransom is not paid, the criminals will often sell the stolen data or publish it in public blogs and online forums.

The RaaS operators also offer a special service for DDoS/Spam for USD 500,000. This method can be leveraged as an additional extortion technique to threaten and pressurize targeted companies for payouts.

The operators have an undisclosed mechanism to hire affiliates and enforced conditions to not target entities in the Commonwealth of Independent States (CIS) countries, indicating their possible origin from Russia or CIS.

Subsequently, the selection of the profit-sharing model of the RaaS is as specified below:

  • If the payout is >= USD 1 million, 80% of the profit is shared with the affiliates.
  • If the payout is >= USD 3 million, 85% of the profit is shared with the affiliates.
  • If the payout exceeds USD 3 million, 90% of the profit is shared with the affiliates.

Tactics, Techniques, And Procedures (TTPs)

The Tactics, Techniques, and Procedures (TTPs) identified based on the MITRE ATT&CK framework follows:

Tactics Techniques & Sub-Techniques MITRE ATT&CK® ID
Execution TA0002
 User ExecutionT1204
 System ServicesT1569
Persistence TA0003
 Boot or Logon Autostart ExecutionT1547
Defense Evasion TA0005
 Impair DefensesT1562
 Impair Defenses: Safe Mode BootT1562.009
 Indicator RemovalT1070
Lateral Movement T0008
 Remote Services: SMB/Windows Admin SharesT1021.002
Impact TA0040
 Inhibit System RecoveryT1490
 Data Encrypted for Impact T1486
 Service Stop Service StopT1489
 Network Denial of ServiceT1498

Open-source research found a detailed analysis by TrendMicro on a malicious file identified as ‘Ransom.Win32.NOESCAPE.B‘ and reported on March 29, 2023. The ransomware lands on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting suspicious websites. However, the aforementioned ransomware can execute only on a Windows NT 10.0 OS.

Therefore, we did not find sufficient evidence or behavior to attribute the ransomware strain to the recently advertised NoEscape RaaS program.


Comments are closed.

Scroll to Top