In a significant shift from their usual modus operandi, the RedCurl threat group has deployed a new ransomware strain specifically targeting Hyper-V servers.
This development marks a notable evolution in the group’s tactics, techniques, and procedures (TTPs).
Unprecedented Targeting of Virtualized Infrastructure
The ransomware, dubbed QWCrypt by researchers, demonstrates a highly targeted approach by focusing exclusively on hypervisors.
This strategy allows RedCurl to inflict maximum damage with minimal effort by encrypting virtual machines, effectively disabling entire virtualized infrastructures.
Notably, the threat actors deliberately excluded specific VMs acting as network gateways, indicating a deep familiarity with the victim’s network architecture.
This calculated move suggests an attempt to confine the attack’s impact to IT teams, potentially to facilitate discreet negotiations.
Technical Analysis Reveals Sophisticated Tactics
According to the Report, QWCrypt, a UPX-packed Go executable, employs a range of advanced features.
According to Bitdefender, these include the ability to exclude specific VMs from encryption, partial file encryption to evade detection, and the option to use either AES or ChaCha20 algorithms.
The ransomware’s deployment involves a multi-stage process, utilizing batch scripts customized for each victim’s environment.
These scripts disable Windows Defender, perform system reconnaissance, and execute the encryption process.
Interestingly, the ransom note associated with QWCrypt appears to be a compilation of text from other known ransomware groups, including LockBit, HardBit, and Mimic.
This peculiarity, combined with the absence of a known dedicated leak site, raises questions about RedCurl’s true motivations.
This new ransomware campaign represents a significant evolution for RedCurl, traditionally known for corporate espionage and data exfiltration.
The shift to ransomware, particularly with such a targeted approach, underscores the need for organizations to reassess their security posture, especially regarding virtualized environments.
Security experts recommend implementing a multilayered defense strategy, enhancing detection and response capabilities, and prioritizing the prevention of Living-off-the-Land (LOTL) attacks.
Additionally, organizations should focus on advanced data protection measures, including immutable backups and regular testing of recovery procedures.
As threat actors continue to evolve their tactics, staying informed about the latest threats and maintaining a proactive security stance remains crucial for organizations of all sizes.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
.webp?w=1200&resize=1200,0&ssl=1&description=In a significant shift from their usual modus operandi, the RedCurl threat group has deployed a new ransomware strain.){kind=link}