Threat Groups

NoEscape

1. Overview

NoEscape is a double extortion ransomware group that emerged in mid-2023, quickly establishing itself as a technically capable and strategically aggressive threat actor. The group targets large enterprises, critical infrastructure, and professional services, combining traditional file encryption with the exfiltration of sensitive data for public exposure if ransom demands are not met.

NoEscape is believed to have emerged from the ashes of the Avaddon ransomware group, reusing some tooling, infrastructure design, and even negotiation tactics. It supports cross-platform attacks, including payloads for Windows, Linux, and VMware ESXi environments, making it particularly dangerous for hybrid or virtualised infrastructures.

2. Origin and Evolution

NoEscape was first observed in May 2023, when several high-profile incidents involving encrypted and exfiltrated data were attributed to a previously unknown ransomware strain. Malware analysis revealed similarities to Avaddon, a ransomware group that voluntarily shut down in 2021 after intense law enforcement scrutiny.

Unlike its predecessor, NoEscape immediately positioned itself as an exclusive Ransomware-as-a-Service (RaaS) operation, with hand-picked affiliates and internal vetting. Within months, the group launched attacks on law firms, financial institutions, logistics providers, and government contractors—many of which were listed on its dark web leak site.

3. Tactics, Techniques, and Procedures (TTPs)

NoEscape conducts highly structured intrusions using a mix of custom code and commodity tools. Key methods include:

  • Initial Access:
    Use of compromised RDP/VPN credentials (T1078), phishing emails with malicious attachments (T1566.001), and exploitation of vulnerable web-facing services (T1190).
  • Lateral Movement:
    Tools such as Cobalt Strike, RDP, PsExec, and PowerShell scripts are used to gain control over large swathes of infrastructure (T1021).
  • Data Exfiltration:
    Exfiltration is performed before encryption using Rclone, MEGASync, and custom SFTP scripts (T1041). Stolen data includes financial records, HR files, legal documents, and source code.
  • Encryption:
    NoEscape ransomware uses multi-threaded AES + RSA encryption, renaming files with .no_escape or .noescape extensions. Payloads are highly configurable, allowing for selective targeting of file types and locations.
  • Persistence & Evasion:
    Disables antivirus services, deletes shadow copies (T1490), and deploys obfuscated loaders. Often scheduled via task scheduler or startup entries to persist until ransom execution.

4. Targeting Profile

NoEscape targets high-value organisations, often in regions with GDPR or regulatory obligations. Commonly affected sectors include:

  • Legal services and law firms
  • Banking, finance, and fintech
  • Logistics, shipping, and freight
  • Healthcare and private medical providers
  • Critical infrastructure and IT service providers

Victims are often selected based on data value, downtime sensitivity, and known vulnerabilities. Several UK-based organisations, including in the legal and financial services sector, have already been named on NoEscape’s leak site.

5. Notable Campaigns and Victims

Despite its relatively short lifespan, NoEscape has made an outsized impact. Confirmed victims include:

  • A European law firm, with case documents, client contracts, and internal communications leaked.
  • A Southeast Asian logistics platform, where client data and routing software source code were stolen.
  • A US healthcare provider, resulting in the exposure of patient medical and billing records.
  • A UK-based accountancy firm, with client records and sensitive financial documents published on the leak site.

In most cases, the group demands ransoms ranging from £200,000 to over £3 million, and follows through on data publication threats if payment is not made.

6. Ransomware and Leak Site Behaviour

NoEscape maintains an active and well-structured dark web leak portal. Features include:

  1. Victim name and logo
  2. Industry and country listing
  3. Sample data downloads (e.g., Excel sheets, PDFs, email headers)
  4. Countdown timers to full leak
  5. TOR-based communication portals for negotiation

The group combines technical pressure with public humiliation, making it especially dangerous for organisations that are customer-facing or subject to regulatory oversight.

7. Technical Indicators

Indicators of compromise associated with NoEscape include:

  • File extensions: .noescape, .no_escape
  • Ransom notes titled readme.txt, README_RECOVERY.txt
  • Deployment of rclone.exe, 7z.exe, PowerShell data transfer scripts
  • Encrypted connections to attacker-controlled FTP servers
  • Use of Cobalt Strike beacons for persistence and lateral movement

UK Cyber Defence Ltd provides updated YARA rules, Sigma detections, and IOC packs for enterprise defenders.

8. Defensive Measures and Recommendations

To defend against NoEscape ransomware:

  • Enforce MFA on all internet-facing services and admin portals
  • Monitor for data staging and large-scale archive creation
  • Apply patches for VPNs, firewalls, and file transfer tools
  • Use network segmentation and restrict lateral movement paths
  • Deploy EDR/XDR solutions capable of detecting LOLBins and command-line abuse
  • Maintain offline, immutable backups, tested regularly

9. Attribution and Alliances

NoEscape is widely believed to be operated by a core team of cybercriminals formerly affiliated with Avaddon, and potentially linked to other post-REvil splinter groups. Their infrastructure, payload design, and negotiation patterns suggest a Russian-speaking threat actor base.

The group runs a closed RaaS model, likely with vetting processes for affiliates, and may purchase access from third-party brokers.

10. Conclusion

NoEscape is a highly structured, professional ransomware threat with a clear focus on maximum impact and reputational damage. Its combination of multi-platform payloads, targeted data theft, and aggressive public leak tactics makes it a formidable risk to UK enterprises—particularly in sectors where data sensitivity and business continuity are paramount.

Organisations must ensure they are prepared not only to withstand encryption-based disruption, but also the reputational and legal fallout of sensitive data breaches.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

  • 28 Views

you may also like

Kettering Health crippled by ransomware: 14 hospitals on emergency reroute

On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.

Pro-Russian Cyber Activity: Hybrid Threats and the UK Response

An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.

Donation-Based Ransomware Groups

An insights article comparing donation-model ransomware operators such as MalasLocker, exploring the ethics, tactics, and implications of threat actors who demand charitable giving instead of cryptocurrency payments.

Western Alliance Data Breach Tied to Cleo Software Flaw

Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence