Healthcare facilities are a prime target for NoEscape ransomware, HHS warns


The healthcare and public health (HPH) sector has been warned it will likely be in the crosshairs of No leaka triple-extortion ransomware threat group believed to have risen from the ashes of the defunct Russian-speaking Avaddon gang.

The warning is stated in a analyst rating (PDF) from the U.S. Department of Health and Human Services HHS Healthcare Cybersecurity Coordination Center (HC3).

NoEscape, a ransomware-as-a-service group, has targeted a wide range of industries since its first sighting in May this year. In addition to signing up to use the group’s suite of malware tools to encrypt and exfiltrate victim data, affiliates can pay extra for distributed denial of service (DDoS) offerings.

“NoEscape may be new to the cyber threat landscape, but in its short existence it has proven to be a formidable adversary,” the HC3 advisory states.

“The value of HPH data, in particular, indicates that the healthcare sector will remain a viable target. »

In a September gang profile, SOCRadar said its most common targets to date have been in the professional services, manufacturing and information sectors – primarily telecommunications – with just over 30% of victims located in North America. It was also active in Europe and Southeast Asia.

According to HC3, the gang did not allow its affiliates to attack former Soviet Union republics within the Commonwealth of Independent States (CIS).

“DDoS service is available (to affiliates) for an additional fee of $500,000, with operators imposing conditions that prohibit affiliates from striking entities located in CIS countries,” the analyst’s note said.

“Additional mechanisms are in place to reduce the chances of this malware running on hosts detected to be in CIS countries.”

SOCRadar said NoEscape had “quickly emerged as a formidable threat in the cybersecurity landscape.”

“The ransomware has features such as stopping the process, running in safe mode, spreading and encrypting over SMB (Server Message Block) or DFS (Distributed File System), and using Windows Restart Manager to bypass any processes that may block the encryption process. “, said the SOCRadar researchers.

“A unique feature is shared encryption, which allows a single encryption key to be used for all infected files on a network, facilitating effective encryption and rapid decryption if the ransom is paid.”

NoEscape would be a rebrand of another sophisticated ransomware operator, the Russian-speaking company. Avaddon Threat Groupwhich disbanded in 2021.

Analysis of the two gangs’ ransomware encryptors showed a clear similarity between them.

“Previously, the Avaddon encryptor used AES for file encryption, with NoEscape switching to the Salsa20 algorithm,” HC3 said. “Otherwise, the encryptors are virtually identical, with almost identical encryption logic and file formats, including a unique way to “fragment RSA encrypted blobs.” »

Researchers also learned that key members of the Avaddon gang were now part of the NoEscape group.

HC3 said healthcare providers should take standard steps to protect against ransomware attacks, such as keeping software up to date, performing regular backups and being alert to phishing emails. HPS sector organizations should also utilize industry-specific resources, including HHS 405(d) Programa collaboration between industry and government to align health sector security practices.

Leave a comment