Sunday, 20 April 2025
27.5 C
Singapore
31.6 C
Thailand
26.1 C
Indonesia
28.5 C
Philippines

RedCurl group linked to new ransomware strain in first documented attack

Bitdefender uncovers RedCurl's first ransomware campaign, revealing QWCrypt's unique tactics and the group's evolving cyber threat model.

Bitdefender researchers have released the first documented analysis of a ransomware campaign tied to the RedCurl group, a threat actor previously known for cyberespionage activities. The ransomware, dubbed “QWCrypt” due to the presence of ‘qwc’ in its executable file, is a previously unseen strain that differs from known ransomware families in its design and deployment tactics.

RedCurl, also known as Earth Kapre or Red Wolf, has typically operated under the radar since 2018, focusing on data theft through highly targeted operations. Their pivot to ransomware represents a significant development in the group’s modus operandi. Bitdefender’s investigation raises more questions than answers about the group’s underlying motivations, suggesting that RedCurl may be shifting from espionage to financial extortion or blending both approaches.

While earlier assessments labelled RedCurl as a cyberespionage group, Bitdefender’s findings suggest the evidence supporting this classification is inconclusive. The group’s operations have involved a wide geographical range of victims, including the US, Germany, Spain, and Mexico, as well as reports of targets in Russia. This diversity is unusual for state-sponsored actors, and there has been no prior indication of the group attempting to sell or ransom exfiltrated data, making their latest move even more curious.

Speculation over RedCurl’s operational model

Two hypotheses have emerged regarding RedCurl’s current strategy. One possibility is that the group functions as a cyber mercenary-for-hire, executing operations on behalf of clients. In this model, ransomware may be used as a smokescreen to obscure more focused data theft missions. If clients fail to pay for the stolen data, ransomware becomes a fallback option to monetise access.

An alternative theory is that RedCurl aims to keep a low profile by negotiating directly with victims, avoiding public ransom notes or leak sites. Bitdefender points to the group’s use of hypervisor encryption—rather than targeting endpoints—as evidence of this discreet strategy. The choice to leave network gateways untouched while crippling virtual machines suggests a desire to limit disruption to IT teams only, reducing the chance of alerting law enforcement or attracting attention.

This theory aligns with findings from Bitdefender’s recent Cybersecurity Assessment Reports. In 2023, 42% of respondents admitted facing pressure to hide security breaches—a figure that has increased in 2024, underscoring the appeal of quiet extortion tactics for ransomware actors.

Technical overview of QWCrypt ransomware campaign

RedCurl’s attack method begins with phishing emails containing IMG files disguised as CV documents. When opened, Windows mounts these files as virtual drives, revealing a screensaver file titled “CV APPLICANT 7802-91542.SCR.” This file is actually a renamed Adobe executable vulnerable to DLL sideloading, allowing a malicious library to be loaded when executed.

The malicious DLL launches a browser window showing a real Indeed login page—an attempt to distract the user—while also acting as a downloader to fetch additional payloads. The final payload is saved to the user’s application data folder and is executed using scheduled tasks and a series of native Windows tools in a technique known as Living-off-the-Land (LOTL). This approach leverages legitimate utilities like pcalua.exe, rundll32.exe, and shell32.dll to conceal the attack.

After establishing access, RedCurl employs tools such as PowerShell, WMI, and a modified version of wmiexec to move laterally across the network. These tools are commonly used in penetration testing, but RedCurl modifies them to evade detection by bypassing traditional monitoring systems. In some cases, the group also uses “Chisel”, a tunnelling tool suspected to facilitate remote desktop access.

Unlike traditional ransomware groups that target all endpoints, RedCurl focused exclusively on hypervisors. Their scripts included detailed information about the environment and avoided encrypting virtual machines responsible for maintaining network connectivity. This method allowed RedCurl to cause maximum disruption with minimal visibility.

Detailed script execution and file encryption

The ransomware was delivered via an encrypted 7-Zip archive, unpacked using a password-protected extraction command. Scripts first disabled endpoint protection tools, including Windows Defender and other well-known antivirus programs. The batch files also referenced Term.exe, a known method to exploit vulnerable drivers to disable security defences.

Once defences were down, a second script executed the main encryption routine. The ransomware executable, rbcw.exe, was run twice on the host and twice on Hyper-V virtual machines, ensuring coverage and reliability. A unique key passed during execution enabled encryption and unlocked the ransomware’s configuration file, which contained the ransom note.

Interestingly, the ransom note itself appeared to be a composite of messages from other ransomware groups, including LockBit and HardBit, raising questions about whether RedCurl is adopting copycat tactics or using these elements to confuse attribution. There is currently no known leak site linked to the group.

Files are encrypted with the ChaCha20 or AES algorithm, and the ransomware is capable of selective encryption, allowing the attackers to balance speed and impact. Certain files and directories—such as those linked to security software and operating system files—were deliberately excluded to maintain system stability and delay detection.

Ongoing risks and recommendations

Bitdefender stresses that RedCurl’s move into ransomware is a calculated and refined progression in their approach. Their operations are technically advanced, highly targeted, and potentially aligned with discreet extortion tactics rather than mass disruption.

To protect against similar threats, Bitdefender recommends organisations adopt a multilayered security strategy, monitor for LOTL abuse, and implement strict control over scripting environments and admin privileges. Backups should be immutable and isolated, with recovery processes regularly tested.

The full technical breakdown, including Indicators of Compromise (IoCs), is available on Bitdefender’s website. Researchers are encouraged to further examine this evolving threat actor.

Hot this week

Dubai tech hub to spotlight innovation and start-up success at GITEX Asia debut in Singapore

Dubai Internet City will showcase its tech success and start-up ecosystem at GITEX Asia in Singapore from 23 to 25 April 2025.

Christensen Advisory secures exclusive APAC rights to InferenceCloud.ai to drive AI adoption in communications

Christensen Advisory partners with InferenceCloud.ai to bring AI-driven communications tools to the APAC region, driving data-backed strategies.

Mark Zuckerberg says TikTok slowed Meta’s growth and changed its direction

Zuckerberg says TikTok slowed Meta’s growth and forced a shift in strategy, as revealed in the FTC antitrust trial on June 5.

ASUS unveils TUF Gaming x Hatsune Miku collaboration for Singapore launch in June

ASUS brings Hatsune Miku to TUF Gaming with new keyboard, mouse, headset, and mouse pad launching in Singapore from June 2025.

OpenAI’s Stargate project eyes global expansion after US launch

OpenAI’s US$500B Stargate project, which aims to build AI data centres across the US, may expand to the UK and Europe after it launches.

AMD’s RX 9070 GRE leak could bring welcome news for gamers

Leaked AMD’s RX 9070 GRE specs suggest a strong mid-range GPU with 12GB memory and fast clocks, perfect for modern gamers.

Intel’s new CEO reshapes leadership, promotes AI chief and plans closer work with engineers

Intel CEO Lip-Bu Tan is reshaping leadership, promoting a new AI chief, and aiming for a leaner, more engineering-driven company.

Apple’s iPhone sales drop in China amid growing trade tensions

Apple’s iPhone sales in China fell 9% as local brands grew, and trade tensions created more uncertainty for the smartphone market.

ASUS and Hatsune Miku team up for colourful new gaming gear

ASUS and Hatsune Miku join forces to launch a vibrant limited-edition gaming gear set, arriving in Singapore this June.

Related Articles

Popular Categories