RedCurl cyberspies create ransomware to encrypt Hyper-V servers

A threat actor named 'RedCurl,' known for stealthy corporate espionage operations since 2018, is now using a ransomware encryptor designed to target Hyper-V virtual machines.

Previously, RedCurl was spotted by Group-IB targeting corporate entities worldwide, later expanding its operations and increasing the victim count.

However, as Bitdefender Labs researchers report, the threat actors have started deploying ransomware on compromised networks.

"We've seen RedCurl stick to their usual playbook in most cases, continuing with data exfiltration over longer periods of time," reads the Bitdefender report. 

"However, one case stood out. They broke their routine and deployed ransomware for the first time."

As the enterprise increasingly moves to virtual machines to host their servers, ransomware gangs have followed the trend, creating encryptors that specifically target virtualization platforms.

While most ransomware operations focus on targeting VMware ESXi servers, RedCurl's new "QWCrypt" ransomware specifically targets virtual machines hosted on Hyper-V.

QWCrypt attacks

The attacks observed by Bitdefender start with phishing emails with ".IMG" attachments disguised as CVs. IMG files are disk image files that are automatically mounted by Windows under a new drive letter when they are double-clicked.

The IMG files contain a screensaver file vulnerable to DLL sideloading using a legitimate Adobe executable, which downloads a payload and sets persistence via a scheduled task.

RedCurl leverages "living-off-the-land" tools to maintain stealth on Windows systems, uses a custom wmiexec variant to spread laterally in the network without triggering security tools, and uses the tool 'Chisel' for tunneling/RDP access.

To turn off defenses before the ransomware deployment, the attackers use encrypted 7z archives and a multi-stage PowerShell process.

Unlike many Windows ransomware encryptors, QWCrypt supports numerous command-line arguments that control how the encryptor will target Hyper-V virtual machines to customize attacks.

--excludeVM string Exclude VMs (csv list) --hv Encrypt HyperV VMs --kill Kill VM process --turnoff TurnOff HyperV VMs (default true)

In attacks seen by Bitdefender, RedCurl utilized the --excludeVM argument to avoid encrypting virtual machines that acted as network gateways to avoid disruption.

When encrypting files, the researchers say that QWCrypt ('rbcw.exe') uses the XChaCha20-Poly1305 encryption algorithm and appends either the .locked$ or .randombits$ extension to encrypted files.

The encryptor also offers the option to use intermittent encryption (block skipping) or selective file encryption based on size for increased speed.

The ransom note created by QWCrypt is named "!!!how_to_unlock_randombits_files.txt$" and contains a mixture of text from LockBit, HardBit, and Mimic ransom notes.

The absence of a dedicated leak site for double extortion raises questions on whether RedCurl is using ransomware as a false flag or for true extortion attacks.

Money, disruption, or diversion?

Bitdefender outlines two main hypotheses for why RedCurl now includes ransomware in its operations.

The first is that RedCurl operates as a mercenary group offering services to third parties, which results in a mix of espionage operations and financially motivated attacks.

In some situations, the ransomware could be a distraction to cover for data theft, or a fallback to monetize access when a client fails to pay for their primary services (data collection).

The second theory is that RedCurl does engage in ransomware operations for enrichment, but opts to do so silently, preferring private negotiations over public ransom demands and data leaks.

"The RedCurl group's recent deployment of ransomware marks a significant evolution in their tactics," concludes Bitdefender.

"This departure from their established modus operandi raises critical questions about their motivations and operational objectives."