A notorious threat actor group known as RedCurl, recognized for its stealthy corporate espionage since 2018, has recently escalated its operations by employing a bespoke ransomware encryptor specifically aimed at Hyper-V virtual machines. This alarming shift in their tactics has drawn the attention of cybersecurity firm Bitdefender Labs, which has documented the group’s evolving approach to cyberattacks.
Originally identified for targeting corporate entities worldwide, RedCurl has expanded its operations, with an increased victim count reported. Previously, the group’s actions primarily involved data exfiltration and prolonged reconnaissance efforts. However, Bitdefender’s latest report reveals an unprecedented change in their methodology, with ransomware being deployed on compromised networks for the first time. “We’ve seen RedCurl stick to their usual playbook in most cases, continuing with data exfiltration over longer periods,” notes the report, highlighting the significance of this tactical evolution.
In an era where businesses are progressively migrating to virtual machines for server hosting, ransomware groups have adapted by developing encryptors tailored for virtualization platforms. While many ransomware operations focus on VMware ESXi servers, RedCurl’s newly introduced “QWCrypt” ransomware exclusively targets those hosted on Microsoft’s Hyper-V. The attacks typically commence with phishing emails containing .IMG attachments disguised as resumes, leading unsuspecting users to unwittingly execute malicious payloads.
Bitdefender’s research indicates that RedCurl employs refined techniques to maintain stealth and evade security systems. Recent attacks have employed a custom wmiexec variant for lateral movement within networks and utilized tunneling tools like ‘Chisel’ for remote access. QWCrypt differentiates itself from typical ransomware by allowing attackers to customize encryption tactics, including excluding certain virtual machines from attacks to minimize disruption. The emergence of this ransomware as a potential diversion tactic raises vital questions about RedCurl’s true motivations—whether they aim for financial gain, distraction, or both.
For further information on RedCurl’s previous espionage operations, you can refer to the reports by this link and this one. A detailed technical deep dive into the QWCrypt ransomware can be accessed through the Bitdefender report.