RedCurl, a Russian cyber espionage group best known for cyber espionage and data exfiltration, has unexpectedly deployed ransomware for the first time.
Cybercriminal group RedCurl, also known as Earth Kapre or Red Wolf, appears to be changing or expanding its tactics with the first deployment of QWCryp, a new malware distinct from other ransomware families, according to research by Bitfedender.
The hackers, who traditionally compromised devices through social engineering and spearphishing, still rely on these methods. They sent phishing emails containing IMG files disguised as CV documents to tempt users into engaging with their ransomware.
After compromising a device, the group starts navigating the network, gathering intelligence, and typically continues with data exfiltration over longer periods of time.
However, in a recent example, Bitdefender researchers noticed it using ransomware, named rbcw.exe file, deployed from an encrypted 7z archive.
“While most ransomware groups deploy their payloads across all endpoints, and some extend to hypervisors, RedCurl targeted only hypervisors. This focused targeting can be interpreted as an attempt to inflict maximum damage with minimum effort,” claims Bitdefender in a blog post.
“By encrypting the virtual machines hosted on the hypervisors, making them unbootable, RedCurl disables the entire virtualized infrastructure, impacting all hosted services.”
Bitdefender’s analysis of the ransom note reveals that it is composed of sections taken from the ransom notes of other known ransomware groups, including LockBit, HardBit, and Mimic. This raises questions about the group's origins and motivations.
A gun-for-hire group?
The researchers speculate that RedCurl’s deployment of ransomware may mean that it is operating as a gun-for-hire group, as it has diverse victimology and lacks a clear, consistent operational pattern.
“In a mercenary model, ransomware could serve as a diversion, masking the true objective: a targeted data exfiltration operation. It's also possible that RedCurl, having completed a data exfiltration contract, was not paid, leading them to use ransomware as an alternate way to monetize their access,” Bitdefender claims.
Another explanation is that RedCurl prioritizes discreet, direct negotiations with victims, minimizing public attention. It appears to limit the attack's impact on the IT department by using hypervisor encryption while maintaining network gateway functionality and avoiding endpoint encryption.
This strategy suggests that RedCurl prefers low-profile operations, which ensure consistent revenue across a broad client base and reduce its visibility to law enforcement.
Your email address will not be published. Required fields are markedmarked