The NoEscape ransomware gang claims it has struck the International Joint Commission (IJC), a U.S.-Canadian body that oversees the shared lake and river systems along the border between the two countries.
On its data leak site, the gang claims to have copied 80GB of commission data, including confidential and legal documents as well as personal information of commission employees, and is threatening to release them unless it is paid.
The U.S. and Canadian offices of the commission were asked Monday evening for comment. No response was received by press time Tuesday morning.
Members of the IJC are appointed by Washington and Ottawa, although they are expected to act independently of their governments. The agency’s job is to prevent and resolve disputes between the two countries under the 1909 Boundary Waters Treaty, but it also reports on air pollution.
“The IJC network was successfully encrypted and compromised,” the gang’s statement says. “We have 80 GB of data, namely: Confidential documents, legal documents, personal information of members and employees, memorandum, conflict of interest documents, hundreds of contracts, geological documents, banking, finance, insurance and much other confidential and sensitive information.
“If management continues to remain silent and does not take the step to negotiate with us, all data will be published. we have more than 50,000 confidential files, and if they become public, a new wave of problems will be colossal. For now we will not disclose this data or operate with it. But if you continue to lie further you know what awaits you.
“Assign a person to the position of negotiator and tell him to contact us. We will explain everything and help solve this problem.
“Time is running out”
A copy of the notice was posted Monday on X by Brett Callow, a British Columbia-based threat researcher for Emsisoft.
The commission publishes a number of publicly available documents such as annual reports, reports of public meetings, maps, and recommendations on keeping waters between the two countries clean for people and fish.
According to researchers at Quarum Cyber, NoEscape is a ransomware-as-a-service operation that was announced May 22 on dark web forums. The gang has an affiliate program that allows approved third-parties to install NoEscape on IT systems for a fee. According to researchers at Sentinel One, an affiliate gets 90 per cent of any collected ransom over US$3 million. The split varies with the ransom paid. If the ransom paid is US$1 million the affiliate gets 80 per cent.
Affiliates have access to a management panel that allows them to monitor and manipulate their ransomware campaigns, SentinelOne says. The panel offers automated updates to the gang’s TOR-based leak blog, a private chat room for communicating with victims, several communications channels, and 24/7 support if the affiliate buys a software licence
The gang claims its code has been written from scratch, without recycling code from previous malware samples or ransomware products. But according to a report on Bleeping Computer, NoEscape is believed to be a rebrand of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021.
According to a ransomware report released last week by the U.K. National Cyber Security Centre, most ransomware incidents are not targeted, but are the result of a threat actor taking advantage of an opportunity — for example, discovering an organization has an unpatched server or buying a stolen or cracked password from another threat actor.
“Most ransomware incidents are not due to sophisticated attack techniques,” the report adds, “but are usually the result of poor cyber hygiene. That’s not to say that victims did not take cyber security seriously; modern IT estates are exceptionally complex, particularly for organizations that have undergone acquisitions and mergers, and security controls can be difficult to implement effectively across complex environments.
“Poor cyber hygiene can include unpatched devices, poor password protection, or lack of multi-factor authentication (MFA). Remedying these are not silver bullets, but implementing such measures would interrupt the majority of ransomware attacks. MFA in particular is often not in place, which enables many ransomware attacks to be successful.”