The US Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HHS HC3) released an advisory on the NoEscape ransomware operation, which is believed to be a revamp of the Russian threat actor Avaddon.
“This ransomware variant is compatible with Windows safe mode – a series of scripts can be run to force a victim host to reboot in safe mode, where endpoint detection and response (EDR) products can be disabled more easily before running encryption routines,” the advisory states (PDF).
“As a RaaS tool, NoEscape also comes with other features in addition to the standard file encryption functions, including a Tor admin panel, private chat functions for secret communications, and distributed denial-of-service (DDoS), call, and spam services at extra cost (“Available from $500k”).”
HHS also noted that RaaS group’s “indiscriminate targeting” of healthcare providers is a “worrisome sign” that organizations in this field will suffer major disruptions from NoEscape attacks.
NoEscape victims face ransom demands ranging from a few hundred of thousand of dollars to over $10m.
“Multi-extortion tactics to maximize the impact of a successful attack are being used. This includes an option where data exfiltration and encryption is coupled with DDoS attacks against targets," InfoSecurity Magazine reports.
“HHS HC3 highlighted several links between NoEscape and the now defunct Avaddon gangs, the latter of which released its decryption keys in 2021.”
Takeaway: Healthcare and other critical infrastructure providers are a favored target for ransomware attacks given they typically have the least resources to dedicate to security, the networks are often composed of older legacy components, and any downtime is extremely disruptive with the potential to put lives at risk.
We see ransomware operators continue to advance their tactics, techniques, and procedures (TTPs) to improve infection vectors, stealth and lateral movement on the targeted network, and in the efficacy of their payloads.
Ransomware gangs like NoEscape continue to invest heavily in recruiting and retaining new talent, expanding their operations and capabilities at an alarming pace, and attacks are getting more disruptive to operations.
Ransomware attacks are the biggest threat facing every organization today, and healthcare providers have been hit particularly hard.
A robust defense is key, but resilience is what will ensure critical operations remain up and running even in the event of a ransomware attack. A strong prevention and resilience strategy to defend against ransomware attacks includes:
- Endpoint Protection (EPP): Deploy an anti-ransomware solution alongside existing Endpoint Protection Platforms (EPP/DR/XDR) to bridge the gaps in ransomware-specific coverage
- Patch Management: Keep all software and operating systems up to date and patched
- Data Backups: Assure critical data is backed up offsite and protected from corruption in the case of a ransomware attack (backups)
- Access Control: Implement network segmentation and policies of least privilege (Zero Trust)
- Awareness: Implement an employee awareness program to educate against risky behaviors, phishing techniques, etc.
- Resilience Testing: Regularly test solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems
- Procedure Testing: Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times
The detection/prevention side of the cyberattack equation is important, but organizations also have to prepare for failure by assuring they can quickly and decisively respond to a successful ransomware attack so any potential disruption to operations are kept to a minimum.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.