Defunct Avaddon Rebranded as NoEscape Ransomware

Overlaps in NoEscape and Avaddon

• NoEscape ransomware’s encryptor is identical to the one used by Avaddon, with some notable changes. While the Avaddon ransomware used the AES algorithm, NoEscape switched to Salsa20 for file encryption.
• It was found that NoEscape borrows the configuration file and directives used by Avaddon.
• If the case is that NoEscape may have purchased the source code of the encryptor from Avaddon, researchers claim to be cognizant of the fact that some of the key Avaddon members are now part of the new ransomware operation.

More about NoEscape

• Since its inception, the ransomware group has listed 10 different companies on its data leak site, from different verticals.
• The attackers threaten to publicly release victims’ files and data if the ransom is not paid like other double extortion operations.
• The group demands a ransom ranging between hundreds of thousands of dollars to over $10 million.

Encryption details

• Upon execution, NoEscape runs a set of commands to delete Windows Shadow Volume Copies and local Windows backup catalogs. 
• It turns off Windows automatic repair and terminates processes associated with security software and backup applications before initiating the encryption process.  
• It encrypts files with specific extensions such as .accdb, .edb, .mdb, .mdf, .mds, .ndf, and .sql. A 10-character extension, which is unique for each victim, is appended to the encrypted files and a ransom note is dropped that instructs the victims on how to recover their files. 

Conclusion