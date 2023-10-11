The Indian Computer Emergency Response Team (CERT-In) has issued an alert for a new ransomware called NoEscape. This ransomware is believed to be a rebrand of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021. Both NoEscape and Avaddon’s ransomware encryptors are nearly identical, with the only notable difference being the encryption algorithm used. Avaddon used AES for file encryption, while NoEscape has switched to the Salsa20 algorithm.

NoEscape, like its predecessor Avaddon, targets enterprises in double extortion attacks. In these attacks, threat actors steal data and encrypt files on Windows, Linux, and VMware ESXi servers. The cybercriminals then threaten to release the stolen data unless a ransom is paid, with reported demands ranging from hundreds of thousands of dollars to over $10 million.

Once infected, the NoEscape ransomware deletes Windows Shadow Volume, Local Windows backup catalogs, and turns off Windows automatic repair. It also terminates processes associated with security software, backup applications, web, and database servers. The ransomware changes the Windows wallpaper to display instructions for victims, directing them to the ransomware notes for further information. These notes contain a “personal ID” that is required to log in to the threat actor’s Tor payment site and access the victim’s unique negotiation page.

CERT-In advises users to take precautionary measures to avoid falling victim to NoEscape ransomware. These measures include maintaining offline backups of data, encrypting backups, implementing multi-factor authentication for all services, and staying vigilant against phishing campaigns.

