RedCurl, a cyber espionage group active since 2018, has shifted its tactics by deploying ransomware for the first time. Previously, the group focused on corporate espionage, using spear-phishing emails to infiltrate networks and exfiltrate data. Their most recent activity, discovered by Bitdefender, involves the deployment of QWCrypt ransomware targeting Hyper-V virtual machines. This marks a significant evolution in their operations, as they now aim to encrypt virtual environments, disrupting entire infrastructures.
The attack sequence starts with phishing emails containing disguised .IMG attachments. These files, when opened, mount a disk image that contains a malicious file disguised as a screensaver. The file uses DLL sideloading to execute malware, which then establishes persistence on the system through scheduled tasks. The attackers use “living-off-the-land” techniques, leveraging existing Windows tools like wmiexec for lateral movement across the network, avoiding detection by traditional security tools.
Once inside the network, RedCurl uses QWCrypt ransomware to encrypt virtual machines hosted on Hyper-V servers. The ransomware allows for precise targeting through command-line arguments, including options to exclude specific VMs and control encryption settings. The encryption process uses the XChaCha20-Poly1305 algorithm and appends either .locked$ or .randombits$ extensions to files. The ransom note left behind is a mix of text from other ransomware groups, raising questions about whether this is a true extortion attempt or a smokescreen for data theft.
Bitdefender speculates on two possible motives behind RedCurl’s new approach. One theory is that they have expanded into financially motivated ransomware attacks as mercenaries for hire, using ransomware to cover up data theft or generate revenue. The second theory suggests that RedCurl prefers to keep their extortion activities private, avoiding the public nature of ransom demands. Regardless of the motive, the deployment of ransomware represents a major shift in RedCurl’s modus operandi, signaling a potential escalation in their operations.
