Incident Report

NEWSFLASH: NoEscape Unleashes Havoc in Healthcare

By

By

Access Point Consulting

Overview

A formidable new Ransomware-as-a-Service (RaaS) group, known as NoEscape, has emerged as a rebrand of the Russian threat actor Avaddon. NoEscape, identified by the US Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HHS HC3), exhibits unique features and employs aggressive multi-extortion tactics. The group has been observed targeting organizations in professional services, manufacturing, and information industries, with a particularly worrisome focus on the healthcare and public health sector. NoEscape gains access to networks through various means, such as phishing emails or compromised servers. Initial signs of compromise may include unusual network activity, unauthorized access attempts, or suspicious files.

Impact

Upon infiltrating a network, NoEscape leaves a note on the victim's computer, establishing a communication channel with instructions for engaging with the ransomware developers. Victims are required to pay a ransom in cryptocurrency, with amounts varying based on the severity of the attack. Preferred victims are organizations in the US and Europe. NoEscape employs multi-extortion tactics, offering an option that combines data exfiltration and encryption with DDoS attacks for an additional fee. This approach maximizes the impact of successful attacks. HHS HC3 has drawn parallels between NoEscape and the now defunct Avaddon gangs, highlighting encryption similarities, configuration overlaps, tactical resemblances, and geographical exemptions.

Tactics and Techniques

From MITRE ATT&CK®, an open knowledge base of adversary tactics and techniques, this section is intended to provide access to in-depth techniques and tactics NoEscape is thought to use on their adversaries.

Initial Access:

  1. External Remote Services (T1133)
  2. Valid Accounts (T1078)

Execution:

  1. User Execution: (T1204.002)
  2. Scheduled Task/Job (T1053.005)

Persistence:

  1. Registry Run Keys/Startup Folder (T1547.001)
  2. Valid Accounts (T1078)

Privilege Escalation:

  1. Valid Accounts (T1078)

Defense Evasion:

  1. Disable or Modify Tools (T1562.001)
  2. Software Packing (T1027.002)
  3. Process Injection (T1055)
  4. Indicator Removal on Host (T1070.004)
  5. Modify Registry (T1112)
  6. Deobfuscate/Decode File or Information (T1140)
  7. Virtualization/Sandbox Evasion (T1497.001)

Credential Access:

  1. OS Credential Dumping (T1003)

Discovery:

  1. Account Discovery (T1078)
  2. Domain Trust Discovery (T1482)
  3. Permissions Group Discovery (T1069)

Lateral Movement:

  1. Remote Services (T1021)
  2. Remote Desktop Protocol (T1021.001)

Collection:

  1. Archive via Utility (T1560.001)

Command and Control

  1. Web Protocols (T1071.001)
  2. Exfiltration to Cloud Storage (T1567.002)

Recommendations/Mitigations

It's essential to evaluate the adequacy and effectiveness of an organization’s incident response plan using tried and tested tabletop exercises for preparation, to contain any potential incident with least business impact. Communication with stakeholders, including executives, employees, customers, and regulatory bodies, is crucial.

In addition to this, Access Point urges organizations to maintain offline backups of critical data, keep all software up to date, implement robust email security controls and provide phishing awareness training, utilize strong passwords and enable multi-factor authentication, establish a well-defined ransomware incident response plan, and deploy network security measures such as firewalls for monitoring and control.

Resources

CyberWatch

April 2, 2025

Scott "Monty" Montgomery (Island) | Navigating CMMC compliance for organizations of every size

Scott Montgomery, known as Monty, joined the CyberWatch Expert Series podcast to discuss his extensive background in cybersecurity, particularly in building and designing network security tools for high-assurance environments like the Department of Defense (DoD) and the intelligence community. His experience includes significant tenure at McAfee (now Trellix), which led him to his current role at Island, where he focuses on innovative approaches to cybersecurity compliance.

Find out more
March 19, 2025

Michael Sviben (DomainGuard) | Defending against phishing and building proactive security awareness

Cybersecurity threats evolve rapidly, and one tactic consistently rises above the rest: phishing. In this episode of CyberWatch, Michael Sviben, co-founder of DomainGuard, discusses why phishing remains so effective, how businesses and individuals become targets, and what you can do to stay vigilant.

Find out more
March 5, 2025

David Habib (Brightspot) | Building a culture of cybersecurity awareness

Cybersecurity awareness is often reduced to check-the-box training, but David Habib, CIO at Brightspot, argues that real security awareness isn’t about formal programs—it’s about making security part of a company’s culture. In this episode, he shares practical insights on how organizations can move beyond stale training sessions to create an engaged and security-conscious workforce.

Find out more