SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Malware
#
Firewalls
#
Data Protection

Bitdefender uncovers the mysterious RedCurl ransomware group

Thu, 27th Mar 2025
Author image
By Melania Watson, Interview Editor

Bitdefender has uncovered a previously unreported ransomware group known as RedCurl, which has managed to stay largely under the radar since its emergence in 2018.

The cybersecurity firm speculates that RedCurl may operate as cyber mercenaries or engage in private negotiations with victims to avoid public scrutiny.

RedCurl is known to use social engineering and spear-phishing to gain initial access, after which it navigates networks, gathers intelligence, and escalates access using built-in Windows tools before deploying ransomware targeting hypervisors.

Ransom notes associated with RedCurl's operations have been found to borrow text from other ransomware groups like LockBit. Bitdefender advises that organisations should focus on living-off-the-land (LOTL) prevention methods alongside other protective measures.

Research by Bitdefender Labs marks the first documented analysis of a ransomware operation linked to RedCurl, also known by aliases such as Earth Kapre and Red Wolf. Historically, the group has engaged in cyberespionage and data exfiltration using LOTL techniques, and this move to ransomware represents a significant change in strategy.

"This new ransomware, which we have named QWCrypt based on a self-reference 'qwc' found within the executable, is previously undocumented and distinct from known ransomware families," stated Bitdefender.

Bitdefender's investigation aims to broaden understanding of RedCurl by sharing findings with the threat intelligence community to foster further research.

RedCurl's operations and goals remain enigmatic, despite being often classified as a cyberespionage group.

Bitdefender questions this classification, emphasising the need to understand the group's business model and true motivations to gain a full operational picture.

"RedCurl's motivations raise more questions than answers. While frequently labelled a cyberespionage group, we find the evidence supporting this classification inconclusive," Bitdefender explained.

The group's activity spans the United States, Germany, Spain, and Mexico, with other researchers noting targets in Russia, indicating a reach that is broad for typical state-sponsored groups.

Bitdefender's telemetry has identified no past attempts by RedCurl to sell exfiltrated data back to victims, an unusual characteristic for financially driven threat groups.

One hypothesis proposed by Bitdefender suggests RedCurl might function as a 'gun-for-hire' group, indicating cyber mercenary activities.

This could explain the diversity in its targets and the lack of a consistent operational pattern.

Alternatively, Bitdefender suggests RedCurl may prioritise discreet operations, conducting private negotiations to keep a low profile.

RedCurl is noted for targeting hypervisors to encrypt virtual machines while often sparing network gateways, seemingly to minimise disruption and avoid widespread detection.

RedCurl employs social engineering tactics using phishing emails with IMG file attachments disguised as CV documents for initial infiltration. The use of screensaver files to execute malware through DLL sideloading is a technique documented in its campaigns.

Once access is established, RedCurl shifts focus to further exploitation of network systems, employing Windows Management Instrumentation (WMI) and other native tools for lateral movement.

The ransomware is aimed specifically at hypervisors, avoiding conventional endpoint targeting tactics. The ransom note is crafted by repurposing texts from other known groups, leading to questions about the authenticity of its extortion attempts.

Bitdefender's recommendations include a robust multilayered defence strategy, improved detection and response systems, and a heightened focus on LOTL prevention to counter threats similar to RedCurl's operations.

As part of these recommendations, Bitdefender advocates for enhancements in data protection strategies, such as immutable backups and strict access controls, to reduce potential impacts of such cyber threats.

Implementing these measures could fortify organisational defences against ever-evolving cyber adversaries.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
LevelBlue launches global cybersecurity partner programme
Lasso launches automated Red Teaming for GenAI security
Data Connect launches vSOC Assure for cyber risk management
Palo Alto Networks invests in Asia-Pacific cloud security
ETSI launches Covercrypt for post-quantum data security
Top stories
Securing the cloud: Why cyber vigilance must keep pace with innovation
Kaspersky expands global training with new Partner Locator
SandboxAQ algorithm selected for NIST crypto standards
Western Digital survey reveals global data backup trends
World Backup Day highlights need for strong data resilience