Monday, 31 March 2025
25.8 C
Singapore
28.1 C
Thailand
21.4 C
Indonesia
27.3 C
Philippines

RedCurl group linked to new ransomware strain in first documented attack

Bitdefender uncovers RedCurl's first ransomware campaign, revealing QWCrypt's unique tactics and the group's evolving cyber threat model.

Bitdefender researchers have released the first documented analysis of a ransomware campaign tied to the RedCurl group, a threat actor previously known for cyberespionage activities. The ransomware, dubbed โ€œQWCryptโ€ due to the presence of โ€˜qwcโ€™ in its executable file, is a previously unseen strain that differs from known ransomware families in its design and deployment tactics.

RedCurl, also known as Earth Kapre or Red Wolf, has typically operated under the radar since 2018, focusing on data theft through highly targeted operations. Their pivot to ransomware represents a significant development in the groupโ€™s modus operandi. Bitdefender’s investigation raises more questions than answers about the group’s underlying motivations, suggesting that RedCurl may be shifting from espionage to financial extortion or blending both approaches.

While earlier assessments labelled RedCurl as a cyberespionage group, Bitdefender’s findings suggest the evidence supporting this classification is inconclusive. The groupโ€™s operations have involved a wide geographical range of victims, including the US, Germany, Spain, and Mexico, as well as reports of targets in Russia. This diversity is unusual for state-sponsored actors, and there has been no prior indication of the group attempting to sell or ransom exfiltrated data, making their latest move even more curious.

Speculation over RedCurl’s operational model

Two hypotheses have emerged regarding RedCurlโ€™s current strategy. One possibility is that the group functions as a cyber mercenary-for-hire, executing operations on behalf of clients. In this model, ransomware may be used as a smokescreen to obscure more focused data theft missions. If clients fail to pay for the stolen data, ransomware becomes a fallback option to monetise access.

An alternative theory is that RedCurl aims to keep a low profile by negotiating directly with victims, avoiding public ransom notes or leak sites. Bitdefender points to the groupโ€™s use of hypervisor encryptionโ€”rather than targeting endpointsโ€”as evidence of this discreet strategy. The choice to leave network gateways untouched while crippling virtual machines suggests a desire to limit disruption to IT teams only, reducing the chance of alerting law enforcement or attracting attention.

This theory aligns with findings from Bitdefenderโ€™s recent Cybersecurity Assessment Reports. In 2023, 42% of respondents admitted facing pressure to hide security breachesโ€”a figure that has increased in 2024, underscoring the appeal of quiet extortion tactics for ransomware actors.

Technical overview of QWCrypt ransomware campaign

RedCurlโ€™s attack method begins with phishing emails containing IMG files disguised as CV documents. When opened, Windows mounts these files as virtual drives, revealing a screensaver file titled โ€œCV APPLICANT 7802-91542.SCR.โ€ This file is actually a renamed Adobe executable vulnerable to DLL sideloading, allowing a malicious library to be loaded when executed.

The malicious DLL launches a browser window showing a real Indeed login pageโ€”an attempt to distract the userโ€”while also acting as a downloader to fetch additional payloads. The final payload is saved to the userโ€™s application data folder and is executed using scheduled tasks and a series of native Windows tools in a technique known as Living-off-the-Land (LOTL). This approach leverages legitimate utilities like pcalua.exe, rundll32.exe, and shell32.dll to conceal the attack.

After establishing access, RedCurl employs tools such as PowerShell, WMI, and a modified version of wmiexec to move laterally across the network. These tools are commonly used in penetration testing, but RedCurl modifies them to evade detection by bypassing traditional monitoring systems. In some cases, the group also uses โ€œChiselโ€, a tunnelling tool suspected to facilitate remote desktop access.

Unlike traditional ransomware groups that target all endpoints, RedCurl focused exclusively on hypervisors. Their scripts included detailed information about the environment and avoided encrypting virtual machines responsible for maintaining network connectivity. This method allowed RedCurl to cause maximum disruption with minimal visibility.

Detailed script execution and file encryption

The ransomware was delivered via an encrypted 7-Zip archive, unpacked using a password-protected extraction command. Scripts first disabled endpoint protection tools, including Windows Defender and other well-known antivirus programs. The batch files also referenced Term.exe, a known method to exploit vulnerable drivers to disable security defences.

Once defences were down, a second script executed the main encryption routine. The ransomware executable, rbcw.exe, was run twice on the host and twice on Hyper-V virtual machines, ensuring coverage and reliability. A unique key passed during execution enabled encryption and unlocked the ransomwareโ€™s configuration file, which contained the ransom note.

Interestingly, the ransom note itself appeared to be a composite of messages from other ransomware groups, including LockBit and HardBit, raising questions about whether RedCurl is adopting copycat tactics or using these elements to confuse attribution. There is currently no known leak site linked to the group.

Files are encrypted with the ChaCha20 or AES algorithm, and the ransomware is capable of selective encryption, allowing the attackers to balance speed and impact. Certain files and directoriesโ€”such as those linked to security software and operating system filesโ€”were deliberately excluded to maintain system stability and delay detection.

Ongoing risks and recommendations

Bitdefender stresses that RedCurlโ€™s move into ransomware is a calculated and refined progression in their approach. Their operations are technically advanced, highly targeted, and potentially aligned with discreet extortion tactics rather than mass disruption.

To protect against similar threats, Bitdefender recommends organisations adopt a multilayered security strategy, monitor for LOTL abuse, and implement strict control over scripting environments and admin privileges. Backups should be immutable and isolated, with recovery processes regularly tested.

The full technical breakdown, including Indicators of Compromise (IoCs), is available on Bitdefenderโ€™s website. Researchers are encouraged to further examine this evolving threat actor.

Hot this week

Microsoft removes Windows 11 loophole for skipping account setup

Microsoft is blocking a well-known workaround that lets you set up Windows 11 without a Microsoft account, enforcing stricter installation rules.

Confluent expands Confluent Cloud for Apache Flink to boost real-time AI development

Confluent upgrades Confluent Cloud for Apache Flink with new AI tools, simplifying real-time app development and improving data processing.

Apple Music partners with top DJ tools to expand mixing capabilities

Apple Music now integrates with top DJ software and hardware, giving DJs access to over 100 million songs for seamless mixing and creativity.

How analytics drive Data-Driven Decision Making for business growth

Discover how data-driven decision-making empowers businesses to enhance efficiency, drive strategic growth, and gain a competitive advantage through analytics.

Instagram introduces new speed-up feature for Reels

Instagram now lets you watch Reels at double speed, just like TikTok. The new feature helps you get through longer videos faster and easier.

Microsoft removes Windows 11 loophole for skipping account setup

Microsoft is blocking a well-known workaround that lets you set up Windows 11 without a Microsoft account, enforcing stricter installation rules.

Samsungโ€™s latest vacuum alerts you to calls and texts while you clean

Samsungโ€™s new Bespoke AI Jet Ultra vacuum can alert you to calls and texts while cleaning as the brand expands smart home screens across appliances.

Fujifilm unveils GFX100RF: A 102MP medium format compact camera

Fujifilm announces the GFX100RF, a 102MP medium-format compact camera. It is available for pre-order at S$7,999, and early buyers will receive free gifts.

Google Pixel 9a arrives in Singapore this April for S$799

The Google Pixel 9a launches in Singapore in April 2025 with a Tensor G4 chip, 48MP camera, and seven years of updates, starting at S$799.

Related Articles