Summary:
RedCurl, aka Earth Kapre and Red World, is a Russian-speaking hacking group, that has been active since November 2018. The group is known for launching spear-phishing attacks (e.g. phishing emails containing IMG files disguised as CV documents) against organizations in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States. While cyber espionage has been a main motive for the group, researchers at Bitdefender observed RedCurl deploying a novel ransomware strain, dubbed ‘QWCrypt,’ for the first time.

The ransomware strain, rbcw.exe, is deployed from an encrypted 7z archive and extracted to the C:\ProgramData directory using the 7-Zip executable. The initial execution is triggered through a custom batch file that disables Windows Defender before proceeding with the encryption process. The ransomware primarily targets Hyper-V virtual machines, encrypting them along with the host system, while excluding certain VMs like network gateways. For its part, QWCrypt is a Go-based, UPX-packed executable that employs advanced techniques, including partial encryption and multiple command-line switches, to target specific files and systems. The ransomware's functionality is highly customized, with specific exclusions for certain security products and a focus on bypassing endpoint protections. Furthermore, QWCrypt’s ransom note and decryption key are tied to a personal ID embedded in the configuration, allowing the attackers to maintain a unique RSA key pair for each victim.

Security Officer Comments:
The latest development highlights a shift in RedCurl’s tactics. Researchers note that the use of an encryptor that specifically targets hypervisors is an attempt to inflict maximum damage with minimum effort. By encrypting the virtual machines hosted on the hypervisors and rendering them unbootable, RedCurl aims to cripple the entire virtualized infrastructure, thereby disrupting all services reliant on it.

The ransom note used by QWCrpt appears to be a compilation of sections from ransom notes associated with other well-known ransomware groups, such as LockBit, HardBit, and Mimic. This raises doubts about the true origins and intentions of the RedCurl group. Notably, there is no known dedicated leak site linked to this ransomware, leaving uncertainty about whether the ransom note is a genuine extortion attempt or a deliberate distraction created by RedCurl.

Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.

Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.

Link(s):
https://thehackernews.com/2025/03/redcurl-shifts-from-espionage-to.html