Ethical Hacking News
RedCurl, a stealthy corporate espionage actor, has recently deployed ransomware targeting Hyper-V servers, marking a significant departure from its usual modus operandi.
RedCurl, a known corporate espionage actor, has started deploying ransomware on compromised networks. The group's new "QWCrypt" ransomware targets virtual machines hosted on Hyper-V. RedCurl uses "living-off-the-land" tools to maintain stealth on Windows systems. The ransomware leverages encrypted 7z archives and a multi-stage PowerShell process to evade defenses. The group's motives for deploying ransomware are unclear, with two hypotheses proposed: mercenary services or enrichment through private negotiations.
RedCurl, a threat actor known for its stealthy corporate espionage operations since 2018, has recently taken an unexpected turn in its tactics. In a departure from its usual playbook, RedCurl has started deploying ransomware on compromised networks. This development marks a significant evolution in the group's tactics and raises critical questions about their motivations and operational objectives.
According to Bitdefender Labs researchers, RedCurl initially gained notoriety for targeting corporate entities worldwide, expanding its operations, and increasing the victim count. However, in one notable case, the threat actors broke their routine and deployed ransomware for the first time. This marked a departure from their usual data exfiltration approach, which involved sticking to their established modus operandi.
The newly introduced "QWCrypt" ransomware specifically targets virtual machines hosted on Hyper-V. This development comes as enterprises increasingly move to virtualization platforms to host their servers. In response, ransomware gangs have created encryptors that specifically target virtualization platforms.
RedCurl's QWCrypt attacks begin with phishing emails featuring ".IMG" attachments disguised as CVs. IMG files are disk image files automatically mounted by Windows under a new drive letter when double-clicked. The IMG files contain a screensaver file vulnerable to DLL sideloading using a legitimate Adobe executable, which downloads a payload and sets persistence via a scheduled task.
RedCurl leverages "living-off-the-land" tools to maintain stealth on Windows systems. It utilizes a custom wmiexec variant to spread laterally in the network without triggering security tools and uses the tool 'Chisel' for tunneling/RDP access.
To turn off defenses before the ransomware deployment, attackers use encrypted 7z archives and a multi-stage PowerShell process. Unlike many Windows ransomware encryptors, QWCrypt supports numerous command-line arguments that control how it will target Hyper-V virtual machines to customize attacks.
In one notable instance, RedCurl utilized the --excludeVM argument to avoid encrypting virtual machines acting as network gateways to minimize disruption. When encrypting files, the researchers said that QWCrypt uses the XChaCha20-Poly1305 encryption algorithm and appends either the .locked$ or .randombits$ extension to encrypted files.
The encryptor also offers the option to use intermittent encryption (block skipping) or selective file encryption based on size for increased speed. The ransom note created by QWCrypt is named "!!!how_to_unlock_randombits_files.txt$" and contains a mixture of text from LockBit, HardBit, and Mimic ransom notes.
The absence of a dedicated leak site for double extortion raises questions about whether RedCurl is using ransomware as a false flag or for true extortion attacks. Bitdefender outlines two main hypotheses for why RedCurl now includes ransomware in its operations.
The first hypothesis suggests that RedCurl operates as a mercenary group offering services to third parties, resulting in a mix of espionage operations and financially motivated attacks. In some situations, the ransomware could be a distraction to cover for data theft or a fallback to monetize access when a client fails to pay for their primary services.
The second theory proposes that RedCurl engages in ransomware operations for enrichment but prefers private negotiations over public ransom demands and data leaks. The RedCurl group's recent deployment of ransomware marks a significant evolution in their tactics, concludes Bitdefender.
This development highlights the evolving nature of threat actors and their tactics. As enterprises increasingly move to virtualization platforms, it is essential to stay vigilant and adapt security measures accordingly.
Related Information:
https://www.ethicalhackingnews.com/articles/RedCurls-Divergence-The-Mysterious-Ransomware-Deployment-Targeting-Hyper-V-Servers-ehn.shtml
https://www.bleepingcomputer.com/news/security/redcurl-cyberspies-create-ransomware-to-encrypt-hyper-v-servers/
https://www.huntress.com/blog/the-hunt-for-redcurl-2
Published: Wed Mar 26 10:27:20 2025 by llama3.2 3B Q4_K_M
