Listen to this Post
In the ever-evolving landscape of cyber threats, RedCurl—a threat group known for its stealthy corporate espionage tactics since 2018—has taken a surprising turn. This notorious group, previously known for long-term data exfiltration operations, has begun deploying ransomware on compromised networks. More specifically, they’ve tailored their malware to target Hyper-V virtual machines, a platform increasingly used by enterprises for their virtualized infrastructures. According to researchers at Bitdefender Labs, this marks a significant departure from RedCurl’s usual methods and raises intriguing questions about their evolving motives.
RedCurl’s Evolution and New Attack Methods
RedCurl’s activities have steadily expanded since its initial detection by Group-IB, where it was identified targeting high-profile corporate entities globally. Initially, the group’s operations focused on data exfiltration with an emphasis on remaining undetected for extended periods. However, the latest report from Bitdefender Labs indicates a shift in their tactics, as RedCurl has begun deploying ransomware, specifically designed to target Hyper-V virtual machines.
Hyper-V,
How QWCrypt Ransomware Works
QWCrypt’s attack begins with phishing emails that contain “.IMG” attachments, disguised as job application files. These disk image files, when opened, mount a new drive and contain a malicious screensaver file. This file exploits DLL sideloading techniques, using legitimate Adobe executables to download a payload and establish persistence. Once inside the system, RedCurl uses “living-off-the-land” tools to avoid detection. The malware spreads laterally through the network using a custom variant of wmiexec, a tool for executing commands remotely, and ‘Chisel’ for tunneling and remote desktop protocol (RDP) access.
Before deploying the ransomware itself, the attackers disable system defenses using encrypted 7z archives and a multi-stage PowerShell process. Unlike many ransomware encryptors that focus on simple file encryption, QWCrypt offers advanced features, including support for command-line arguments that enable the attackers to fine-tune their operations.
These options include:
--excludeVMto avoid encrypting virtual machines that serve as network gateways
– `–hv` to encrypt Hyper-V virtual machines
– `–kill` to kill the VM process
--turnoffto disable Hyper-V VMs (enabled by default)
The ransomware uses the XChaCha20-Poly1305 encryption algorithm and appends either the .locked$ or .randombits$ extension to encrypted files. For added stealth and efficiency, it also provides an option for intermittent encryption or selective file encryption based on size, making the attack faster and less detectable.
The ransom note left by QWCrypt, named “!!!how_to_unlock_randombits_files.txt$”, contains a mix of phrases from well-known ransomware groups like LockBit, HardBit, and Mimic. However, one key aspect of this attack is the absence of a dedicated leak site, leading researchers to question whether RedCurl is using ransomware purely for distraction or whether it intends to engage in extortion.
Theories Behind
Bitdefender outlines two possible reasons behind
Either way, the move to ransomware signifies a major shift in the group’s tactics, raising questions about their motivations and whether they will continue to rely on this new attack method in the future.
What Undercode Says:
The emergence of RedCurl’s ransomware operations targeting Hyper-V virtual machines highlights a significant shift in cybercrime strategies. While ransomware attacks have traditionally targeted physical infrastructures or VMware environments, RedCurl’s adaptation to virtualized platforms like Hyper-V indicates an awareness of how corporate IT systems are evolving.
From an analytical perspective, this shift may be driven by a few factors. First, as more businesses move to virtualized environments, cybercriminals are quick to adapt to these changes. The use of Hyper-V in particular suggests that RedCurl is not just following trends, but is actively tracking the ways in which enterprises are structuring their digital infrastructures. This attention to detail is what sets them apart from other ransomware groups who typically target more conventional systems.
Moreover, RedCurl’s use of advanced techniques such as command-line arguments for targeted encryption, lateral movement using wmiexec, and the bypassing of security measures with living-off-the-land tools shows a high level of sophistication. These tactics demonstrate that RedCurl isn’t just a run-of-the-mill cybercriminal group, but one that takes the time to refine its methods and stay ahead of security measures.
The absence of a dedicated leak site and the focus on using ransomware as a potential smokescreen for espionage rather than a standalone attack is another interesting development. This could imply that RedCurl is primarily motivated by corporate espionage but is using ransomware as an opportunistic tool to further its goals. The lack of public ransom demands suggests that their priority may not be extorting money but rather covering their tracks or diversifying their attack strategies to make detection harder.
This evolution may signal that RedCurl is experimenting with new ways to exploit corporate networks and profit from both espionage and ransomware operations. It also raises an important question about the future of cyber threats. As virtual environments continue to gain prominence in the corporate world, we can expect more advanced and targeted attacks on these platforms. RedCurl’s ability to adapt could set a new precedent for other cybercriminal groups, leading to more specialized and devastating attacks on virtualized infrastructures.
Fact Checker Results:
- Accuracy of Claims: The claims made in the Bitdefender report have been corroborated by other security experts, confirming that RedCurl has begun using ransomware in their operations.
- Techniques Used: The techniques outlined, including the use of Hyper-V-targeted malware, lateral movement through wmiexec, and living-off-the-land tools, are consistent with known advanced persistent threat (APT) tactics.
- Ransomware Development: The features of the QWCrypt ransomware align with known trends in cybercrime, particularly the increased targeting of virtualized environments.
References:
Reported By: https://www.bleepingcomputer.com/news/security/redcurl-cyberspies-create-ransomware-to-encrypt-hyper-v-servers/
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





