[Virus/Malware Activity Report: NoEscape Ransomware]

In response to a breach believed to be in the form of NoEscape ransomware,
we would like to confirm the situation and provide a warning as follows.

NoEscape ransomware

The ransomware in question is called NoEscape and has a file name.extension. It appears that all files are being changed to CGFBGEFJEJ.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It is built based on C++ and prevents users from recovering data after an attack by executing several commands such as deleting shadow copies / deleting system state backup / disabling the Windows restore function / disabling the error notification function after the first run, and stopping data-related services. I see it. After the encryption attack, the ransomware is copied to AppdataRoaming, executed additionally, and then the desktop is changed.

  
  [Figure 3 Dynamic code contents that batch copy the contents to use the command]

  
  [Figure 4 Dynamic code content that stops data-related services]

  
  [Figure 5 Executable file and desktop image created in the Roaming folder]

Infection results

The desktop is changed, and HOW_TO_RECOVER_FILES.txt is created in each folder location. When encrypting <file name.extension. Change files with CGFBGEFJEJ>.

[Figure 6 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 7 Block message]

Watch the NoEscape blocking video