Cybercrime
,
Fraud Management & Cybercrime
,
Ransomware
Highly Targeted Ransomware Hit Traced to Long-Running Cyberespionage Group
A long-running, stealthy group of mercenary hackers appears to have diversified into hitting hypervisors with ransomware in highly targeted attacks.
See Also: Top 10 Technical Predictions for 2025
A new report from cybersecurity firm Bitdefender said that the corporate espionage specialists it tracks as RedCurl – also known as Earth Kapre and Red Wolf – appear to now be wielding novel cryptolocking malware.
“This new ransomware, which we have named QWCrypt based on a self-reference qwc found within the executable, is previously undocumented and distinct from known ransomware families,” researchers at Bitdefender Labs said on Wednesday.
Bitdefender told Information Security Media Group they found the ransomware on an unnamed North American customer, which got hit by the ransomware in the middle of last month.
Cryptolocking appears to be a marked change in strategy for RedCurl, which first emerged in 2018. The group’s previously worked as a Russian-speaking, for-hire hacking group that focused on corporate espionage and data exfiltration. It maintained a very low profile typically initiating attacks through phishing emails.
In 2020, cybersecurity firm Group-IB reported the group stole information from at least 14 organizations across Canada, Germany, Norway, Ukraine, Russia and the United Kingdom (see: RedCurl Cyberespionage Gang Targets Corporate Secrets).
Bitdefender said it attributed a recent attack to RedCurl that began with a phishing email and led to the installation of a custom DLL file previously used by the group, which installs a backdoor researchers track as RedCurl.Downloader or Earth Kapre downloader, giving attackers initial access. At this point, RedCurl would typically shift its focus “to navigating the network, gathering intelligence and escalating their access.”
In this case, the attackers also deployed ransomware.
Unlike other ransomware groups that attempt to encrypt every endpoint and oftentimes also hypervisor to reach a victim’s network, this attack that Bitdefender investigated only appeared to target hypervisors. “This focused targeting can be interpreted as an attempt to inflict maximum damage with minimum effort,” the researchers said. “By encrypting the virtual machines hosted on the hypervisors and making them unbootable, RedCurl effectively disables the entire virtualized infrastructure, impacting all hosted services.”
The attackers appeared to have carefully mapped the network before their attack since the batch scripts they ran included such hardcoded details as machine names. They were careful to not encrypt hypervisors functioning as network gateways. “By keeping network gateways operational and avoiding endpoint encryption, RedCurl may have aimed to confine the attack to the IT team, preventing widespread disruption and user awareness,” they said.
A sample of the ransom note dropped by the group’s malware demands the victims to email the group at edgypsin@proton.me to obtain a decryptor, threatening to dump stolen data to a darkweb data-leak site.
Bitdefender said the ransom note appears to be cobbled together with sections borrowed from groups such as LockBit, HardBit and Mimic. This practice of repurposing existing ransom note text raises questions about the origins and motivations of the RedCurl group. Notably, there is no known dedicated leak site associated with this ransomware, and it is unclear whether the ransom note represents a genuine extortion attempt or a diversion.
How many organizations RedCurl may have already hit with ransomware, and if it continues down this path, are open questions.