New Ransomware-as-a-service (RaaS) Targeting Vmware ESXi Servers
Recently, Cyble Research & Intelligence Labs (CRIL) detected the emergence of a fresh Ransomware-as-a-Service (Raas) initiative called ‘NoEscape.’ This program was discovered to be promoted on a cybercrime forum towards the end of May 2023. The creators of NoEscape were actively seeking affiliates to join their network. CRIL has shared the details of this discovery through the latest blog post.
Following that, EVIL RABBIT, a security researcher on Twitter with the handle @D4RKR4BB1T47, recently shared a tweet featuring a picture of the dashboard panel used by the NoEscape ransomware group.
The figure below shows the post by security researcher EVIL RABBIT.
In addition to sharing the dashboard panel image, the security researcher also provided images of the RaaS builder page and accompanying samples associated with this specific ransomware family. The affiliate website of NoEscape RaaS offers a range of executable building options, including EXE and DLL files for Windows 7 and above, reflective DLL injection for Windows 7 and above, executable files for Windows XP, and ELF executables for Linux/ESXi servers. The affiliate page includes instructions for customizing the ransomware executables, such as specifying the ransomware name, ransomware key name, comment, price or ransom amount, and timer type (None, double, or leak).
According to the provided screenshot, the NoEscape RaaS platform offers affiliates the option to choose between generating a single encryption key for all binaries or creating distinct keys for each individual binary. This flexibility allows affiliates to tailor their approach and encryption strategy based on their specific requirements or preferences.
The ransomware builder interface allows affiliates to configure various settings for building the ransomware executables. These settings include specifying the size of large files where partial encryption is applied instead of encrypting the entire file, defining the primary path for encryption, specifying file paths to skip during encryption, targeting specific services and processes, configuring autorun entries, enabling auto ransom note opening, and even changing wallpapers on infected systems.
The below figure shows the screenshot of the NoEscape ransomware builder page.
Technical Details
Windows Variant
We have taken the below sample hash for the purposes of this analysis: (SHA256), 68ff9855262b7a9c27e349c5e3bf68b2fc9f9ca32a9d2b844f2265dccd2bc0d8, which is a GUI-based x32 bit executable written in Microsoft Visual C/C++ compiler.
Upon execution, the ransomware first creates a mutex named “Global\\{5d202e6e-b33a-4833-abfb-2391bc075089}” to ensure that only a single instance of the malware is running on the victim’s system.
UAC BYPASS
After creating the mutex, the ransomware modifies specific registry values to disable User Access Control (UAC), a security feature in Windows. UAC prompts users for permission or administrator credentials before allowing actions that could affect system settings or files. By deactivating UAC, the ransomware gets elevated privileges without requiring user permission or administrator credentials. This enables the malware to carry out malicious activities on the system without difficulty, posing a significant risk to the system’s security.
EnableLUA
By modifying the below registry value EnableLUA to “0”, malware aims to deactivate User Account Control (UAC) on the target system. UAC is typically set to “1” by default.
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = “0”
ConsentPromptBehaviorAdmin
The ConsentPromptBehaviorAdmin key has been set to “0”, indicating that the behavior of the consent prompt for actions requiring administrator privileges has been modified. By default, this value is typically set to “1”. The consent prompt serves to ask for confirmation or administrator credentials from the user before permitting the action to proceed.
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = “0”
Kill Processes/Services
After bypassing UAC, the ransomware terminates several processes, including 360doctor, GDscan, RTVscan, Apache, CCleaner, OneDrive, and others, if they are currently running on the victim’s machine.
The figure below shows the list of process names targeted by the NoEscape ransomware.
Furthermore, the ransomware stops various active services on the system, including culserver, SQL, SQL Server, sophos, vmware-converter, VSS, and others.
The below figure shows the list of services targeted by the ransomware by service name.
Prior to encrypting the files, the ransomware uses the FindFirstVolumeW() and FindNextVolumeW() API functions to search and identify accessible volumes on the targeted system. Following this, the malware proceeds to drop a ransom note named “HOW_TO_RECOVER_FILES.txt” in multiple directories.
Once the ransom note has been dropped, the malware proceeds to identify files and directories for encryption by iterating through them using the FindFirstFileW() and FindNextFileW() API functions. The NoEscape ransomware excludes the below file extensions and folder names from encryption.
Encryption
To encrypt files in the victim’s system, the ransomware utilizes the “Microsoft Enhanced RSA and AES Cryptographic Provider” libraries. Within these libraries, the malware leverages various functions from the CryptoAPI, including CryptAcquireContextW(), CryptImportKey(), CryptSetKeyParam(), and CryptEncrypt().
By utilizing these functions, the ransomware can employ robust encryption techniques to ensure that the victim’s files are securely locked and inaccessible without the decryption key.
In the next step, the malware renames the encrypted files with the extension “.CCBDFHCHFD” and replaces them with the original files using the MoveFileExW() API function, as shown below.
The image below illustrates the files that have been encrypted by the NoEscape ransomware after the successful infection on the victim’s machine.
Delete System Backup & Shadowcopy
Additionally, the ransomware runs a series of commands to delete shadow copies and system backups, effectively preventing file recovery attempts. By executing these commands, the ransomware ensures that alternative copies of the encrypted files are removed, limiting the victim’s ability to restore their files through backup or shadow copy mechanisms.
| Commands | Description |
| wmic SHADOWCOPY DELETE /nointeractive | This command uses the Windows Management Instrumentation Command-line (WMIC) to delete all shadow copies without user interaction. It helps remove any remaining shadow copies that may not have been deleted by the other commands. |
| wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest | This command uses the wbadmin tool to delete the oldest system state backup. System state backups include critical operating system files, such as the registry, COM+ Class Registration Database, and system files. |
| wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0 | This command also uses wbadmin to delete all versions of system state backups except the most recent one. The -keepVersions parameter specifies the number of versions to keep, and 0 means all versions except the latest one will be deleted. |
| wbadmin DELETE BACKUP -deleteOldest | This command utilizes wbadmin to delete the oldest regular backup. Regular backups typically include user data and other files. |
| wbadmin DELETE BACKUP -keepVersions:0 | Similar to the previous command, this one deletes all versions of regular backups except the most recent one, based on the -keepVersions parameter. |
| vssadmin Delete Shadows /All /Quiet | This command uses the vssadmin tool to delete all shadow copies (also known as volume snapshots) on the system. |
| bcdedit /set {default} recoveryenabled No | This command uses the bcdedit tool to modify the boot configuration data (BCD) of the default boot entry. It sets the recoveryenabled option to “No,” which disables the automatic recovery options during system startup. |
| bcdedit /set {default} bootstatuspolicy ignoreallfailures | This command also uses bcdedit to modify the boot configuration data. It sets the bootstatuspolicy option to “ignoreallfailures,” which means the system will ignore any failures encountered during the boot process. |
The below figure illustrates the sequence of commands executed by the NoEscape ransomware to delete shadow copies and system backups.
Ransom Note
Finally, the ransom note that is dropped in the system provides victims with instructions on how to establish contact with the NoEscape Ransomware Group to initiate negotiation proceedings regarding the ransom.
The ransom note serves as a communication channel through which the victims can follow the specified steps to engage with the ransomware operators and negotiate the terms of the ransom payment.
Linux Variant
The NoEscape Linux variant consists of three files: “script_linux.sh,” “script_esxi.sh” and “164f8295_linux.elf“. Each of these files serves specific purposes and contributes to the overall functionality of the Linux variant of the ransomware.
Ransomware Targeting Linux Machines
The “script_linux.sh” script is designed to facilitate the execution of a ransomware payload “164f8295_linux.elf“. Its primary purpose is to carry out the encryption process on the victim’s Linux machine by scanning files in a specified or generic path and running the ransomware payload, “164f8295_linux.elf”, on each file it encounters.
The below figure shows the code snippet “script_linux.sh”.
The script “script_linux.sh” executes the following functions:
SetLimits() – This function is responsible for adjusting the resource limits of the running process. Its purpose is to increase the maximum number of open file descriptors and the maximum number of allowed processes. By doing so, the function ensures that the script has the capability to handle a larger number of open files and concurrent processes, which is crucial for efficient file encryption in the context of ransomware.
EmptyTrash() – This function is responsible for deleting all files and directories in the user’s trash folder. It clears the trash before the ransomware starts encrypting files. This step is taken to ensure that any previously deleted files in the trash cannot be recovered by the victims. By emptying the trash, the ransomware eliminates any possibility of file restoration from that location, making the encryption process more effective and irreversible.
ExecPayload() – This function executes the ransomware payload file “164f8295_linux.elf”, by passing the file path to be encrypted as an argument.
ScanPath(): This function scans a specified path by finding all files within the given directory and its subdirectories. It then calls ExecPayload() for each file to execute the Ransomware payload, thereby initiating the encryption process.
WaitPayload(): This function waits until the payload process is no longer running. It checks the number of running instances of the payload executable and waits until the count becomes zero. The purpose of waiting for the Ransomware process to finish is to ensure that all files have been encrypted before proceeding to the next steps of the ransomware attack.
Cleanup() – This function performs cleanup operations after encrypting files in the victim’s machine.
It removes log files and temporary files from the root directory. It also deletes the ransomware, script file, and ransom note (index.html), ensuring that no evidence remains on the compromised system.
Ransomware Targeting Vmware ESXi Servers
The “script_esxi.sh” script is designed to automate the execution of ransomware payload “164f8295_linux.elf” on ESXi servers. It targets specific paths, including NFS volumes and VM volumes, and encrypts files found within those paths.
The below figure shows the code snippet “script_esxi.sh”.
The script “script_esxi.sh” executes the following functions:
StopVMS(): This function stops running virtual machines (VMs) on an ESXi server. It uses the esxcli command to list all VM processes and forcibly kills them. It also kills any remaining processes related to VMs.
ScanNFS(): This function scans NFS (Network File System) volumes on an ESXi server. It retrieves the list of NFS volumes using esxcli and then iterates over each volume to find files. For each file found, it calls ExecPayload() to execute the ransomware payload.
ScanVMS() – This function scans VM volumes on an ESXi server. It retrieves the list of VM volumes using the esxcli command and then iterates over each volume to search for specific files related to virtual machines. These file extensions include .nvram,.vmdk,.vmem,.vmsd,.vmsn,.vmss,.vmx,.vmxf, and .vswp. For each file found, the function calls the ExecPayload() function to execute the ransomware payload for encrypting them.
Deface() – This function replaces the “index.html” and “motd” files with ransom notes to ensure the ransom alert is displayed to victims upon login.
Post()- This function modifies system files such as cron tab entries and configuration files to further disrupt the system and prevent recovery.
Linux Ransomware Payload:
The file “164f8295_linux.elf” (Sha256: 21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da) is responsible for encrypting the files in the victim’s machine. Upon execution, the ransomware encrypts files using the chacha20 algorithm. The Ransomware incorporates a feature to encrypt larger files in smaller chunks. The TA can mention the file size, which is considered as larger, and the size of encryption in the Ransomware panel while building the binary.
The below figure shows the code used by ransomware for validating and encrypting larger files.
Finally, the Ransomware drops a ransom note named “HOW_TO_RECOVER_FILES.txt ” which instructs the victims on how to reach out to the TAs to recover their encrypted files and pay a ransom.
Conclusion
NoEscape RaaS is a new ransomware group that aims to entice new affiliates with the promise of profits. They are actively seeking affiliates through postings on various dark web forums. Our analysis of the Windows and Linux malware executables indicates that the malware poses a threat to organizations of all types. As the group is relatively new, it is likely that they will evolve their tools and tactics to target multiple organizations.
We will maintain our vigilance in monitoring NoEscape RaaS, their tools, tactics, and procedures, in order to provide regular updates to our customers and readers in the future.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile
- Refrain from opening untrusted links and email attachments without verifying their authenticity
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network
- Disconnect external storage devices if connected
- Inspect system logs for suspicious events
Impact of Ransomware
- Loss of valuable data
- Loss of the organization’s reputation and integrity
- Loss of the organization’s sensitive business information
- Disruption in organization operation
- Financial loss
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1059 T1204 | Command and Scripting Interpreter User Execution |
| Persistence | T1547.001 | Registry Run Keys / Startup Folder |
| Discovery | T1083 | File and Directory Discovery |
| Defense Evasion | T1070 T1562 | Indicator Removal Impair Defenses |
| Impact | T1486 T1490 | Data encrypted for impact Inhibit System Recovery |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 65f35ae4203cf5041a0aaa358dd3d74c ea1f7940271fc80d06b2f222506020b650ad41bc 68e5caa3f0fd4adc595b1163bf0dd30ca621c5d7a6ad0a20dfa1968346daa3c8 | MD5 SHA1 SHA256 | 1ce30fbd_dll.dll |
| 9ea0d4448472cdeeb290e8006e8b1e9b 30f71a24c15dd81965b12996a79d914acf4f169e 2cd1ca52a5d404176f0ec7debeceb4ba3c95b139061f86ac971195b02d854b0c | MD5 SHA1 SHA256 | 06b91e4a_exe.exe |
| bd69a645fa69fd8d5ba56b9c3f468711 12dc0a2de3ad30201107bfcb679de5acacf31e5c 68ff9855262b7a9c27e349c5e3bf68b2fc9f9ca32a9d2b844f2265dccd2bc0d8 | MD5 SHA1 SHA256 | 23cd1f01_exe.exe |
| c850f6816459e3364b2a54239642101b 30c60f18279ed5fd36e3ac2d3ba5ddbdc5d1f624 21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da | MD5 SHA1 SHA256 | 164f8295_linux.elf |
| 473d65d1231ccdfa0099d463b09cf9b9 9cbc7417fa5ce2f6d87026337fc7892e4f485819 07c70968c66c93b6d6c9a90255e1c81a3b385632c83f53f69534b3f55212ced9 | MD5 SHA1 SHA256 | bd83e75f_dllreflinj.dll |
| 47ae17d89c2d9b6acdc7458f5df1c6f7 d38c613020cb4616783c8535380e28404f7eaebf 9d346518330eeefbf288aeca7b2b6243bc158415c7fee3f2c19694f0e5f7d51c | MD5 SHA1 SHA256 | ca3ec998_xp.exe |
| 34de9725e232ba82275bb0dcf9282e16 b17403e7dcb992ba8d2b56dd843406264d3910e5 aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58 | MD5 SHA1 SHA256 | script_esxi.sh |
| 17d55dc09e2a3f10d4ee45156c2c53f1 317f296131b37a73c9a5d253015821dfdc8b1190 16d9e969457a76874e7452e687a7b6843c65ef75d1a4404d369074ad389f6c38 | MD5 SHA1 SHA256 | script_linux.sh |
