NoEscape

Malware updated a month ago (2024-10-17T13:04:00.374Z)

Download STIX

Preview STIX

NoEscape is a malicious software, or malware, known for its ransomware capabilities. It infiltrates systems often undetected via suspicious downloads, emails, or websites, causing significant harm by stealing personal data, disrupting operations, and holding data hostage for ransom. In October 2023, NoEscape orchestrated a major data breach against the French basketball team ASVEL. In the last quarter of 2023, the Talos Incident Response team reported their first encounters with NoEscape, along with Play, Cactus, and BlackSuit ransomware, noting a 17% rise in ransomware incidents during this period. The malware has been linked to other ransomware strains like Rhombus, as revealed by static analysis of the Hadooken binary and Aqua's malware study. However, dynamic analyses showed no active use of these links during attacks. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have identified an Iranian group, Fox Kitten, as providing initial access to compromised networks to operators of ransomware strains such as ALPHV (or BlackCat), Ransomhouse, and NoEscape, in return for a cut of any ransom collected. In December 2023, following the FBI’s announcement of a disruption campaign against the ALPHV ransomware, the LockBit ransomware group made a public call on a Russian-speaking dark web forum to recruit ALPHV (BlackCat) and NoEscape ransomware affiliates, including any ALPHV developers. This move indicates a potential shift in the landscape of cyber threats, with established groups seeking to consolidate power and resources in the face of increased law enforcement actions.

Description last updated: 2024-10-17T12:09:06.112Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Alphv is a possible alias for NoEscape. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB	6
Avaddon is a possible alias for NoEscape. Avaddon is a type of malware, specifically ransomware, designed to exploit and damage computer systems. It was notable for its compatibility with older systems such as Windows XP and Windows 2003, distinguishing it from other ransomware like Darkside and Babuk which targeted more modern systems like	5
Rhombus is a possible alias for NoEscape.	2
Ransomhouse is a possible alias for NoEscape. RansomHouse is a malicious software (malware) that has been active since 2021 and describes itself as a “professional mediators community” targeting organizations with lax attitudes towards customer data privacy and security. The malware infects systems through suspicious downloads, emails, or websi	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Encryption

Malware

Extortion

Ddos

Exploit

Healthcare

Esxi

Windows

RaaS

Linux

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with NoEscape. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	4

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Fox Kitten Threat Actor is associated with NoEscape. Fox Kitten, an Iran-based cyber espionage group active since at least 2017, has been a significant threat actor in the cybersecurity landscape. This group primarily targets VPN devices from Citrix, Fortinet, Palo Alto Networks, and Pulse Secure for initial access into networks. The FBI identified Fo	Unspecified	2

Source Document References

Information about the NoEscape Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	2 months ago	Linux malware called Hadooken targets Oracle WebLogic servers
DARKReading	2 months ago	'Hadooken' Malware Targets Oracle's WebLogic Servers
DARKReading	3 months ago	Iran's 'Fox Kitten' Group Aids Ransomware Attacks on US Targets
InfoSecurity-magazine	3 months ago	Iranian Hackers Secretly Aid Ransomware Attacks on US
CISA	3 months ago	Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations \| CISA
ESET	8 months ago	Cybercriminals play dirty: A look back at 10 cyber hits on the sporting world
CERT-EU	8 months ago	The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions
Trend Micro	9 months ago	LockBit Attempts to Stay Afloat with a New Version
Unit42	10 months ago	Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
InfoSecurity-magazine	10 months ago	LockBit Reigns Supreme in Soaring Ransomware Landscape
CERT-EU	10 months ago	Ransomware Activity Surged in 2023, Likely to Evolve in 2024 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	10 months ago	The Top 10 Ransomware Groups of 2023
CERT-EU	a year ago	Behind the Scenes of Matveev's Ransomware Empire: Tactics and Team
CERT-EU	a year ago	Ransomware attacks up 81% year-on-year in October \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Cyber Security Today, Nov. 27, 2023 – Ransomware gang posts data stolen from a Canadian POS provider, and more \| IT World Canada News
CERT-EU	a year ago	NYC Bar Association breach exposes over 27K members' data
CERT-EU	a year ago	Cyberattackers leaked data of 27,000 NYC Bar Association membersers
CERT-EU	a year ago	Significant drop in ransomware but threat remains for UK
CERT-EU	a year ago	Blacksuit Ransomware linked to Royal Ransomware - Cybersecurity Insiders
Malwarebytes	a year ago	Ransomware review: October 2023