Cybercrime,
Fraud Management & Cybercrime,
Ransomware
New Ransomware Attack Linked to Seasoned Cyberespionage Group

A highly organized group of mercenary hackers, known as RedCurl, is reportedly evolving its tactics by deploying ransomware against hypervisors in focused and highly selective attacks. This shift indicates a significant change in their operational strategy, which previously centered on traditional corporate espionage.
A recent analysis by the cybersecurity firm Bitdefender indicates that RedCurl, also referred to as Earth Kapre or Red Wolf, has begun utilizing an undocumented ransomware variant named QWCrypt. According to researchers, this new malware is distinct from established ransomware families and was uncovered during an investigation involving an unnamed organization in North America that experienced an attack last month.
Previously established in 2018, RedCurl was recognized as a Russian-speaking hacking group primarily involved in espionage and data exfiltration, proceeding with extreme stealth, often launching attacks through phishing emails. The group’s technique has notably shifted toward aggressive cryptolocking measures, a departure from its previous methods.
Bitdefender’s findings reveal that RedCurl’s most recent incursion started with a phishing email culminating in the installation of a custom DLL file, which serves as a backdoor known as RedCurl.Downloader
. This method provided attackers with initial access to the target’s network, from which RedCurl typically gathers intelligence and escalates their access privileges.
In this instance, however, the hackers opted to deploy ransomware, targeting hypervisors rather than encrypting all endpoints indiscriminately. This focused assault, noted by Bitdefender, aims to maximize damage while minimizing effort; by encrypting virtual machines hosted on the hypervisors, they effectively incapacitate the entire virtualized infrastructure.
The attack methodology suggests that the attackers meticulously mapped the target’s network before executing their plan. They incorporated hardcoded details into their batch scripts, such as machine names, while strategically avoiding the encryption of hypervisors acting as network gateways. This constrained the attack’s impact primarily to the IT team, potentially reducing overall disruption and user awareness.
A ransom note left by the malware instructs victims to contact the group via an email address for a decryptor, with the threat of leaking stolen data on the dark web looming over the targeted organizations. Bitdefender’s analysis indicates that the ransom note’s language draws upon established ransom demands from groups like LockBit and HardBit, raising questions about RedCurl’s operational motives and connections.
The extent of RedCurl’s ransomware campaign remains unclear, as does the number of organizations targeted so far. As they appear to be embracing this new strategic direction, the implications for other businesses at risk are significant. Understanding the methods used in these attacks, including tactics such as initial access and persistence from the MITRE ATT&CK framework, may be essential for organizations to safeguard their digital assets against similar threats.