RedCurl uses new QWCrypt ransomware in hypervisor attacks

- Bitdefender Labs reported on March 26, 2025, a change in the tactics of the cyber threat group known as RedCurl, also called Earth Kapre or Red Wolf. Previously, this group kept a low profile and focused on secret data theft. They are now connected to a new ransomware campaign using a strain called QWCrypt, which targets hypervisors and disrupts infrastructure while staying stealthy. This ransomware is new and different from known types. - This finding leads to a reevaluation of RedCurls operational methods since they first appeared in 2018. Their targeting, mainly in the U.S. but also in Germany, Spain, Mexico, and even Russia, makes it hard to classify them. Notably, RedCurl has not previously sold stolen data, which is common for ransomware groups and adds to their mystery. - RedCurl employs advanced techniques like DLL sideloading and Living-off-the-Land strategies, avoiding public leak sites, which is unusual for ransomware. For their ransomware efforts, they still use phishing emails with IMG files made to look like CV documents. Opening these files releases a harmful screensaver that loads a malicious DLL to download the final payload, avoiding detection with encrypted strings and legitimate Windows tools. - Once inside a network, RedCurl uses lateral movements with built-in Windows tools to collect data and gain higher access, using modified tools that bypass normal connections. Their ransomware targets specific systems, using batch files to disable security and launch the ransomware, which encrypts virtual machines. - Bitdefender suggests two ideas to explain RedCurl's unusual behavior. They might be gun-for-hire mercenaries with varied targets or may prefer quiet negotiations with victims to reduce attention. The report concludes with recommendations for multilayered defenses and enhanced threat intelligence to combat threats like RedCurl.