‘NoEscape’ ransomware poses threat to health sector, federal officials warn

Federal cybersecurity officials are warning about a new ransomware group that could be an emerging threat to the health sector.

The group has an ominous name, NoEscape, and operates as a ransomware-as-a-service group, offering its services to other bad actors, according to an advisory from the Health Sector Cybersecurity Coordinating Center, dubbed HC3.

NoEscape first emerged in May, and it has targeted a number of industries, including the health sector. While officials say the group has only targeted two health organizations, they add that it’s a worrisome sign that they are willing to go after the health sector.

Victims have been given ransom demands ranging from hundreds of thousands of dollars to more than $10 million, federal officials say.

NoEscape ransomware demands ranged between hundreds of thousands of dollars to over $10 million, according to HC3, an agency within the U.S. Department of Health and Human Services.

The group is believed to be a “rebrand” of Avaddon, a Russian-speaking ransomware gang that shut down in 2021, the HCE advisory states. NoEscape has employed “aggressive multi-extortion tactics,” according to the advisory.

“NoEscape may be new to the cyber threat landscape, but … it has proven to be a formidable adversary,” the advisory states.

• Read more: Emerging threats in cybersecurity: Special Report

NoEscape typically leaves a ransom note on the computer of its victims informing them that the group has hacked into their system. The note then gives instructions on how the victims can contact the group.

If NoEscape is able to get inside an organization’s system, the advisory wants that it “

will almost certainly result in the encryption and exfiltration of significant quantities of data.”

Given the high value of patient health information, HC3 says, “The healthcare industry will remain a viable target.

After a brief but welcome dip earlier in the year, hospitals and health systems have seen an uptick in ransomware attacks in 2023. In the first half of the year, more than 220 cyberattacks have targeted hospitals and health systems, according to the American Hospital Association.

Analysts expect that 2023 could be a record-setting year in terms of the number of victims of data breaches. More than 40 million Americans were affected by breaches during the first half of the year, according to Critical Insight, a cybersecurity firm. By comparison, a record 58 million people were impacted by breaches in all of 2021.

Federal authorities and most cybersecurity experts strongly advise health systems and hospitals against paying ransom demands. However, many cybersecurity experts acknowledge hospitals face a difficult decision when dealing with an attack threatening patient care.

In addition to the prospect of potential harm to patients, hospitals face enormous costs in cyberattacks, in terms of restoring services and lost revenue. The cost of the average health data breach has risen to nearly $11 million, according to an analysis by IBM Security.

Several cybersecurity analysts spoke with Chief Healthcare Executive® recently about new and developing threats for health systems. Check out some of their perspective in this video.