A threat actor named ‘RedCurl,’ known for stealthy corporate espionage operations since 2018, is now using a ransomware encryptor designed to target Hyper-V virtual machines. This is what Bitdefender had to say:
This research, conducted by Bitdefender Labs, presents the first documented analysis of a ransomware campaign attributed to the RedCurl group (also known as Earth Kapre or Red Wolf). RedCurl has historically maintained a low profile, relying heavily on Living-off-the-Land (LOTL) techniques for corporate cyber espionage and data exfiltration. This shift to ransomware marks a significant evolution in their tactics.
This new ransomware, which we have named QWCrypt based on a self-reference ‘qwc’ found within the executable, is previously undocumented and distinct from known ransomware families.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented:
“While targeting Microsoft Hyper-V servers is nothing new (example: https://cybercx.com/blog/akira-ransomware/), this indicates an increased focus on Hyper-V and virtualization platforms in general. It’s actually far easier to bring down an organization using an enterprise virtualization platform than one with hundreds of disparate, separately located on-premise servers. If I get on your VM host server, now, with one compromise, I can more easily control and manipulate the whole kingdom. I can more easily encrypt entire servers. I can more easily exfiltrate large amounts of sensitive data. I can more easily corrupt backup services. It’s not good. But the question you need to ask is how the bad guy got to your VM host servers in the first place? Was it social engineering? Was it unpatched software or firmware? Was it stolen logon credentials or bypassed phishable MFA? Because those are the most likely reasons and if you don’t figure those out your environment is not going to be safe no matter what else you do.”
Like this:
Like Loading...
Related
This entry was posted on March 26, 2025 at 3:44 pm and is filed under Commentary with tags Bitdefender. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
A threat actor named “RedCurl” has created ransomware to encrypt Hyper-V servers
A threat actor named ‘RedCurl,’ known for stealthy corporate espionage operations since 2018, is now using a ransomware encryptor designed to target Hyper-V virtual machines. This is what Bitdefender had to say:
This research, conducted by Bitdefender Labs, presents the first documented analysis of a ransomware campaign attributed to the RedCurl group (also known as Earth Kapre or Red Wolf). RedCurl has historically maintained a low profile, relying heavily on Living-off-the-Land (LOTL) techniques for corporate cyber espionage and data exfiltration. This shift to ransomware marks a significant evolution in their tactics.
This new ransomware, which we have named QWCrypt based on a self-reference ‘qwc’ found within the executable, is previously undocumented and distinct from known ransomware families.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented:
“While targeting Microsoft Hyper-V servers is nothing new (example: https://cybercx.com/blog/akira-ransomware/), this indicates an increased focus on Hyper-V and virtualization platforms in general. It’s actually far easier to bring down an organization using an enterprise virtualization platform than one with hundreds of disparate, separately located on-premise servers. If I get on your VM host server, now, with one compromise, I can more easily control and manipulate the whole kingdom. I can more easily encrypt entire servers. I can more easily exfiltrate large amounts of sensitive data. I can more easily corrupt backup services. It’s not good. But the question you need to ask is how the bad guy got to your VM host servers in the first place? Was it social engineering? Was it unpatched software or firmware? Was it stolen logon credentials or bypassed phishable MFA? Because those are the most likely reasons and if you don’t figure those out your environment is not going to be safe no matter what else you do.”
Share this:
Like this:
Related
This entry was posted on March 26, 2025 at 3:44 pm and is filed under Commentary with tags Bitdefender. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.