Russian-Speaking Cybercriminal Group RedCurl Deploys Ransomware in New Attacks
A cybercriminal group known as RedCurl has recently been observed using ransomware in its attacks, according to cybersecurity firm Bitdefender. This marks a shift in the group’s tactics, as it has primarily been focused on corporate espionage since at least twenty eighteen.
Also tracked as Earth Kapre or Red Wolf, RedCurl primarily targets organizations in the United States but has also been linked to attacks in Germany, Spain, and Mexico. Until recently, the group relied on publicly available tools for intrusion and data theft. However, it has now introduced a new ransomware variant called QWCrypt, indicating a change in its operational methods.
How RedCurl Gains Access to Systems
The group typically initiates attacks using phishing emails. These emails contain IMG files that hold a disguised SCR file, which appears to be a job applicant's CV. In reality, the SCR file is a renamed version of a legitimate Adobe executable that is vulnerable to DLL sideloading.
When the file is opened, a malicious DLL is loaded, directing the victim to a fake login page while secretly downloading a payload in the background. To maintain persistence, a scheduled task is created to execute the payload indirectly.
RedCurl’s Ransomware Strategy
Unlike traditional ransomware groups that encrypt entire networks, RedCurl’s QWCrypt ransomware specifically targets hypervisors. By encrypting only the virtual machines hosted on these hypervisors, the group can disable an organization’s virtual infrastructure while keeping network gateways operational.
This method appears to be a highly targeted approach, as it prevents widespread disruption and limits awareness of the attack to the IT department. This suggests that RedCurl is more focused on corporate espionage rather than financial extortion.
Motivations Behind RedCurl’s Operations
There is no evidence that RedCurl has used stolen data for extortion, which sets it apart from ransomware groups that primarily seek financial gain. Instead, the group appears to focus on acquiring proprietary information, likely for competitive advantage.
Cybersecurity researchers believe RedCurl may be operating as a "gun-for-hire" organization, conducting attacks on behalf of third parties. This would explain its use of ransomware as a distraction, allowing it to mask its primary objective—stealing sensitive data.
Alternatively, the group may have initially intended to sell stolen data but was not paid, leading them to deploy ransomware as a secondary means of profiting from their access.
A Strategy of Secrecy and Private Negotiations
RedCurl does not publicly announce its victims or make ransom demands through leak sites, which is unusual for most ransomware groups. Instead, researchers suspect that the group engages in private negotiations with its targets.
By keeping a low profile and avoiding large-scale disruptions, RedCurl is able to continue its operations without attracting widespread attention. The lack of public ransom demands further reinforces the idea that RedCurl operates in a more discreet manner than traditional ransomware gangs.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
