The notorious NoEscape ransomware group has recently targeted an institution of vital importance – the Oswaldo Cruz Foundation, commonly known as Fiocruz. The group claims to have successfully breached Fiocruz’s security defenses, gaining access to a staggering 500GB of sensitive organizational data.
The Fiocruz data breach was made public through a post on the dark web channel associated with the cybercriminal collective. Fiocruz, a renowned research institution headquartered in Blumenau, Santa Catarina, Brazil, is a significant hub for technological advancements in immunobiology.
Home to the Institute of Technology in Immunobiology, commonly referred to as Bio-Manguinhos, Fiocruz plays a pivotal role in developing immunobiological solutions that address pressing public health challenges.
Fiocruz data breach explained
The impact of this Fiocruz data breach is far-reaching, as the primary servers of Fiocruz have been compromised and subjected to encryption by the NoEscape ransomware group. Astonishingly, despite the evidence, the organization’s management, led by Paulo Gadelha and Mauricio Zuma, initially refuted any compromise.
Unfortunately, the group has gained possession of an extensive array of sensitive data amounting to about 500GB.
The pilfered information from the Fiocruz data breach encompasses a range of critical documents, including backups, databases, projects, certificates, legal documents, financial records, sensitive human resources data, and even reports related to sexual harassment.
The Cyber Express reached out to the company to learn more about the Fiocruz data breach. However, at the time of writing this, no official response or statement has been shared — leaving speculation about the claims for Fiocruz data breach.
NoEscape ransomware group’s Modus Operandi
The Fiocruz data breach by the NoEscape Ransomware Group has highlighted the group’s sophisticated operational methods. Unlike many other cybercriminal factions that rely on third-party tools, this ransomware collective stands out by employing its own self-developed C++-based ransomware, showcasing their uniqueness in the cyber threat landscape.
The unveiling of the NoEscape Ransomware-as-a-Service (RaaS) initiative, discovered by Cyble Research & Intelligence Labs (CRIL), sheds further light on the group’s aggressive approach. This program, which emerged in online cybercrime forums, serves the purpose of enlisting affiliates to expand the reach of their illicit endeavors.
How does the NoEscape ransomware group attack?
Firstly, it utilizes a hybrid encryption technique, employing both ChaCha20 and RSA encryption algorithms. This dual-layered approach ensures the security of both files and encryption keys.
Furthermore, the ransomware is engineered to function effectively even within Windows Safe Mode, circumventing security tools and successfully encrypting files after rebooting compromised systems.
Additionally, the NoEscape Ransomware employs advanced strategies, such as asynchronous LAN scanning, to identify potential vulnerabilities.
This enables lateral movement and evasion within networks, significantly complicating detection efforts. The ransomware also employs shared encryption, using a single key to encrypt all files across a network, streamlining the encryption process.
To maintain the anonymity of Bitcoin transactions, NoEscape integrates an undisclosed method, making it challenging to trace financial activities.
Moreover, the ransomware boasts wide compatibility, functioning across various systems, from Windows XP to Windows 11, Linux distributions, and VMware ESXi. It offers configurable modes that allow attackers to customize the encryption process.
Following a successful breach, the NoEscape Ransomware Group implements a triple-extortion technique. This involves encrypting the victim’s data, demanding a ransom payment, and, if left unpaid, threatening to sell or publish the compromised data. This multi-pronged approach amplifies the pressure on victims to comply with their demands.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
