A threat actor named 'RedCurl,' known for stealthy corporate espionage operations since 2018, is now using a ransomware encryptor designed to target Hyper-V virtual machines. While most ransomware operations focus on targeting VMware ESXi servers, RedCurl's new "QWCrypt" ransomware specifically targets virtual machines hosted on Hyper-V. Unlike many Windows ransomware encryptors, QWCrypt supports numerous command-line arguments that control how the encryptor will target Hyper-V virtual machines to customize attacks. The second theory is that RedCurl does engage in ransomware operations for enrichment, but opts to do so silently, preferring private negotiations over public ransom demands and data leaks. In attacks seen by Bitdefender, RedCurl utilized the --excludeVM argument to avoid encrypting virtual machines that acted as network gateways to avoid disruption. The absence of a dedicated leak site for double extortion raises questions on whether RedCurl is using ransomware as a false flag or for true extortion attacks. As the enterprise increasingly moves to virtual machines to host their servers, ransomware gangs have followed the trend, creating encryptors that specifically target virtualization platforms. RedCurl leverages "living-off-the-land" tools to maintain stealth on Windows systems, uses a custom wmiexec variant to spread laterally in the network without triggering security tools, and uses the tool 'Chisel' for tunneling/RDP access. Bitdefender outlines two main hypotheses for why RedCurl now includes ransomware in its operations. "The RedCurl group's recent deployment of ransomware marks a significant evolution in their tactics," concludes Bitdefender.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 26 Mar 2025 14:10:24 +0000