Bitdefender Labs has recently uncovered a significant shift in the operational tactics of the well-known cyber threat group RedCurl, also known as Earth Kapre or Red Wolf. This group, which has traditionally operated under the radar, focusing on covert data exfiltration, has now been linked to a new ransomware campaign involving the use of a novel ransomware strain called QWCrypt. This ransomware targets hypervisors, essentially crippling infrastructure while maintaining a stealthy presence.
The emergence of this new ransomware strain raises questions about RedCurl’s operational model, which has been shrouded in mystery since its inception in 2018. The group’s targeting patterns further complicate their classification, as telemetry data indicates victims primarily in the United States, with additional targets in Germany, Spain, and Mexico, as well as reported targets in Russia, a broad geographical scope not typically associated with state-sponsored actors. Additionally, the lack of historical evidence of RedCurl selling stolen data, a common practice in ransomware operations, adds to the enigma surrounding this group.
One of the key tactics employed by RedCurl is the use of Living-off-the-Land (LOTL) strategies, including DLL sideloading and other sophisticated techniques, while avoiding public leak sites, a departure from traditional ransomware operations. The group gains initial access through phishing emails containing malicious IMG files disguised as CV documents, which then execute a series of malicious actions to download and deploy the ransomware payload.
Once inside the network, RedCurl uses lateral movement techniques, such as WMI and other built-in Windows tools, to gather intelligence and escalate access. Their use of modified tools like wmiexec and Chisel highlights the group’s advanced capabilities. The ransomware deployment itself is highly targeted, with the ransomware encrypting virtual machines using XChaCha20-Poly1305 encryption and excluding network gateways, while also including a unique personal ID for victim identification.
Bitdefender has put forth two hypotheses to explain RedCurl’s unconventional behavior. The first suggests that the group may function as “gun-for-hire” cyber mercenaries, explaining their diverse victimology and inconsistent operational patterns. The second hypothesis proposes that RedCurl prioritizes discreet negotiations with victims to maintain a low profile and avoid public attention, supported by their targeting of hypervisors while preserving network gateways to limit disruption.
In light of these findings, Bitdefender recommends a multilayered defense strategy, enhanced detection and response capabilities, and a focus on preventing Living-off-the-Land attacks to mitigate the risks posed by groups like RedCurl. They also stress the importance of data protection, resilience, and advanced threat intelligence in defending against evolving cyber threats.
In conclusion, the discovery of the QWCrypt ransomware campaign highlights the evolving tactics of RedCurl and the need for organizations to remain vigilant against sophisticated cyber threats.