Overview

NoEscape is a new Ransomware-as-a-Service (RaaS) tool which was announced in a post on a dark web forum on 22nd May 2023. Like other RaaS operations, NoEscape has an affiliate programme, where third-party contractors work to install NoEscape on target systems for a fee.

NoEscape is written in C++ and claims to be written from scratch, without recycling code from previous malware samples or ransomware products. This service has an interface which allows the customisation of compiled executables, allowing operators to choose whether they want to optimise for speed or thoroughness of encryption, which file paths to prioritise or ignore, and which services to terminate before starting encryption. NoEscape uses RSA and ChaCha20 encryption algorithms, can perform asynchronous LAN scanning, and can encrypt discovered network file shares as well as local drives. Shadow copies and system back-ups are deleted by NoEscape, which is standard practice for ransomware programmes.

This ransomware variant is compatible with Windows safe mode – a series of scripts can be run to force a victim host to reboot in safe mode, where endpoint detection and response (EDR) products can be disabled more easily before running encryption routines. Mechanisms are in place to reduce the chances of this malware running on hosts which are detected to be in CIS countries.

As a RaaS tool, NoEscape also comes with other features in addition to the standard file encryption functions, including a Tor admin panel, private chat functions for secret communications, and distributed denial-of-service (DDoS), call, and spam services at extra cost (“Available from US$500k”).

Two NoEscape threat types are listed on Trend Micro’s threat encyclopedia: Ransom.Win32.NOESCAPE.A and Ransom.Win32.NOESCAPE.B. These were added on 18th August 2022 and 29th March 2023 respectively. As such, it is likely that some functionalities of the NoEscape RaaS tool were tested in the wild prior to the announcement of the affiliate programme on 22nd May 2023.