The notorious Russian-speaking hacking group known as RedCurl has reportedly shifted its focus from corporate espionage to deploying ransomware, a significant change that raises concerns within the cybersecurity community. This development has been linked to a new strain of ransomware identified as QWCrypt, making it RedCurl’s first engagement in ransomware campaigns.
According to findings by Romanian cybersecurity firm Bitdefender, RedCurl has a history of targeting various multinational organizations across regions including Canada, Germany, and the United States, using spear-phishing methods that typically involve human resources-themed lures to initiate attacks. Previously focused on espionage, the group now appears to be adopting more aggressive tactics for maximum impact with minimal effort.
Recent reports indicate that RedCurl’s tactics include a sophisticated multi-stage infection process, beginning with seemingly benign ISO files disguised as CVs. Once executed, these files utilize a Windows executable to load further malicious components unnoticed. This approach allows RedCurl to maintain stealth while gathering sensitive information and ultimately executing the ransomware component.
Experts note that the new ransomware attacks, which encrypt virtual machines hosted on hypervisors, can severely disrupt an organization’s infrastructure by rendering their services inoperable. Notably, the ransom notes derived from this activity mirror those used by other notorious ransomware groups, raising questions about the possible motivations behind RedCurl’s pivot to ransomware.
For more details, visit [Bitdefender’s blog](https://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive), [Hacker News](https://www.hackernews.com), and reports from [Huntress](https://www.huntress.com/blog/the-hunt-for-redcurl-2) and [eSentire](https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt).