Ransomware Roundup – NoEscape
2023-11-15 01:7:0 Author: feeds.fortinet.com(查看原文) 阅读量:13 收藏

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This edition of the Ransomware Roundup covers the NoEscape ransomware.

Affected platforms: Microsoft Windows, Linux, and ESXi
Impacted parties: Microsoft Windows, Linux, and ESXi Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption
Severity level: High

NoEscape Ransomware Overview

NoEscape is a financially motivated ransomware group that emerged in May 2023. The group runs a Ransomware-as-a-Service program. The developer creates and provides necessary pre- and post-infection tools for affiliates to perform malicious activities such as compromising victims, data exfiltration, and encryptor (ransomware) deployments. The group has victimized numerous organizations across multiple industries, including government, energy, hospitals, and physicians’ clinics. The NoEscape ransomware group is believed to be related to the now-defunct Avaddon ransomware group.

Infection Vector

Information on the infection vector used by the NoEscape ransomware threat actor is not currently available. However, it is not likely to differ significantly from other ransomware groups.

Victimology

According to data collected through Fortinet's FortiRecon service, the NoEscape ransomware group has targeted multiple industry verticals (Figure 1). Business services were most impacted by the ransomware, followed by the manufacturing and retail sectors. Victims of the NoEscape ransomware also include government organizations, hospitals, and medical clinics.

When victim organizations are ranked according to country (Figure 2), the United States leads by a wide margin.

As of November 3, 2023, the NoEscape ransomware group had last posted new victims on October 27th.

NoEscape Ransomware Execution

Once a network has been compromised and data has been exfiltrated, the NoEscape attacker deploys and runs a file encryptor, which terminates the following services and processes:

The ransomware encrypts files on the compromised systems and appends a “.[random 10-character uppercase alphabet]” extension to the affected files.

The ransomware avoids encrypting the following file extensions:

The NoEscape ransomware also exempts the following directories from file encryption:

It then leaves a ransom note titled “HOW_TO_RECOVER_FILES.txt.” The ransom note instructs victims to visit a TOR site for further instructions. The actual ransom negotiation takes place on TOX. It also insists that the NoEscape ransomware group is financially driven and is not politically motivated.

The NoEscape ransomware has variants that affect Linux and VMware ESXi.

Data Leak Site

The NoEscape ransomware group owns a TOR site where victims can contact the threat actor. Stolen information and a list of victims are also posted there.

Victims are instructed to visit the TOR site below and enter the unique personal ID listed on the ransom note.

As of November 3, the “NoEscape” blog lists 20 active NoEscape ransomware victims.

If victims do not comply with the attacker's request, another message is added to the page assigned to each victim urging action. Some of those messages are below:

Fortinet Protections

Fortinet customers are already protected from this malware variant through our AntiVirus and FortiEDR services, as follows:

FortiGuard Labs detects the NoEscape ransomware samples with the following AV signatures:

  • W32/Avaddon.H!tr.ransom
  • W32/Filecoder_Avaddon.E!tr.ransom
  • W32/Filecoder_Avaddon.H!tr
  • W32/Filecoder_Avaddon.H!tr.ransom
  • Linux/Filecoder_NoEscape.A!tr
  • Linux/Filecoder_NoEscape.B!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

IOCs

File IOCs

SHA2

Note

0073414c5a03b20f6f255f400291de67f2a7268c461f90ea6ff0355ca31af07a

Windows version of NoEscape ransomware

2020cae5115b6980d6423d59492b99e6aaa945a2230b7379c2f8ae3f54e1efd5

4175dae9b268fe5b4f96055ea0376417b5ddc2518d3bd11e20f0f8255bb4621e

4d7da1654f9047b6c6a9d32564a66684407ed587cbaffa54ec1185fd73293d3e

5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d

53f5c2f70374696ff12adcaaf1bbbe0e5dd1b1995d98f2e876b0671888b43128

62205bf0a23e56524f2f1c44897f809457ad26bc70810008ec5486e17c7e64e2

68bce3a400721d758560273ae024f61603b8a4986440a8ec9e28305d7e6d02b0

68ff9855262b7a9c27e349c5e3bf68b2fc9f9ca32a9d2b844f2265dccd2bc0d8

73c19eab8d2ae58db3968dd7de0e745db2d7709859305b113b748bb02494465e

831a2409d45d0c7f15b7f31eddbbdfe7d58414499e81b3da7d9fdee28fafe646

8dd64ea7f226d3eb1e857b0086c0668542652cb37f8142dc000272dbd9569e31

91c515d55fae6d21b106c8c55067ce53d42bef256bd5a385cadd104cf68f64ff

9d346518330eeefbf288aeca7b2b6243bc158415c7fee3f2c19694f0e5f7d51c

10d2b5f7d8966d5baeb06971dd154dc378496f4e5faf6d33e4861cd7a26c91d7

Linux version of NoEscape ransomware

21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da

46f1a4c77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561

c34c5dd4a58048d7fd164e500c014d16befa956c0bce7cae559081d57f63a243

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE trainingNSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Additionally, FortiRecon Digital Risk Protection (DRP), is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning, to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.


文章来源: https://feeds.fortinet.com/~/832559699/0/fortinet/blog/threat-research~Ransomware-Roundup-%e2%80%93-NoEscape
如有侵权请联系:admin#unsafe.sh