Ransomware, Critical Infrastructure Security

Healthcare organizations a prime target for NoEscape ransomware, HHS warns

Share
Stethoscope on laptop keyboard

The healthcare and public health (HPH) sector has been warned it is likely in the crosshairs of NoEscape, a triple-extortion ransomware threat group believed to have emerged out of the ashes of defunct Russian-speaking gang Avaddon.

The warning is set out in an analyst note (PDF) from the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center HHS (HC3).

NoEscape, a ransomware-as-a-service group, has targeted a range of industries since it was first observed in May this year. As well as signing up to use the group’s suite of malware tools to encrypt and exfiltrate victims’ data, affiliates can pay extra for distributed-denial-of-service (DDoS) offerings.

“NoEscape may be new to the cyber threat landscape, but in its short existence, it has proven to be a formidable adversary,” the HC3 advisory said.

“The value of HPH data, in particular, signals that the healthcare industry will remain a viable target.”

In a September profile of the gang, SOCRadar said its most common targets to date were in the professional services, manufacturing and information sectors — mostly telecommunications — with just over 30% of victims located in North America. It was also active in Europe and Southeast Asia.

According to HC3, the gang did not allow its affiliates to attack the former Soviet Union republics within the Commonwealth of Independent States (CIS).

“The DDoS service is available [to affiliates] for an added $500,000 fee, with the operators imposing conditions that forbid affiliates from striking entities located in CIS countries,” the analyst note said.

“Additional mechanisms are in place to reduce the chances of this malware running on hosts which are detected to be in CIS countries.”

SOCRadar said NoEscape had “rapidly emerged as a formidable threat in the cybersecurity landscape.”

“The ransomware has features like process termination, safe-mode operation, spreading and encryption over SMB [Server Message Block] or DFS [Distributed File System], and the use of the Windows Restart Manager to bypass any processes that might block the encryption process,” SOCRadar’s researchers said.

“A unique feature is the shared encryption, which allows a single encryption key to be used across all infected files in a network, facilitating efficient encryption and quick decryption if the ransom is paid.”

NoEscape is believed to be a rebrand of another sophisticated ransomware operator, the Russian-speaking Avaddon threat group, which disbanded in 2021.

Analysis of the two gangs’ ransomware encryptors showed a distinct similarity between them.

“Previously, the Avaddon encryptor utilized AES for file encryption, with NoEscape switching to the Salsa20 algorithm,” HC3 said. “Otherwise, the encryptors are virtually identical, with the encryption logic and file formats almost identical, including a unique way of ‘chunking of the RSA encrypted blobs.’”

Researchers have also been told core members of the Avaddon gang are now part of the NoEscape group.

HC3 said healthcare providers should take standard measures to protect themselves against ransomware attacks, such as keeping software updated, backing up regularly and being alert to phishing emails. HPH sector organizations should also utilize industry-specific resources including the HHS 405(d) Program, an industry and government collaboration to align healthcare sector security practices.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.