Full Report
A threat actor named 'RedCurl,' known for stealthy corporate espionage operations since 2018, is now using a ransomware encryptor designed to target Hyper-V virtual machines. [...]
Analysis Summary
# Threat Actor: RedCurl
## Attribution & Identity
The threat actor discussed is **RedCurl**. They are identified as cyberspies that have significantly evolved their operations to incorporate ransomware capabilities. No specific country attribution is detailed, but they have historically conducted espionage operations.
## Activity Summary
RedCurl has recently been observed developing and utilizing ransomware specifically designed to encrypt Hyper-V servers. They are customizing these attacks based on the deployed environment. In observed attacks, they excluded virtual machines acting as network gateways to maintain connectivity, utilizing the `--excludeVM` argument during encryption operations. The group's adoption of ransomware alongside their established espionage activities suggests a potential shift or dual-use operational model.
## Tactics, Techniques & Procedures
- **System/Virtualization Targeting:** Customized encryption targeting Hyper-V virtual machines.
- **Execution Control:** Use of command-line arguments to control encryption scope (`--excludeVM`, `--hv`, `--kill`, `--turnoff`).
- **Encryption Methodology:** Utilizes **QWCrypt ('rbcw.exe')** employing the **XChaCha20-Poly1305** encryption algorithm.
- **Encryption Variation:** Offers intermittent encryption (block skipping) or selective file encryption based on size.
- **Ransom Note Generation:** Creates a ransom note named `!!!how_to_unlock_randombits_files.txt$` containing text derived from LockBit, HardBit, and Mimic ransom notes.
- **File Extension:** Appends `.locked$` or `.randombits$` to encrypted files.
- **Note:** The article mentions a general report on top MITRE ATT&CK techniques but does not map specific techniques to RedCurl's ransomware deployment other than the actions described above.
## Targeting
- Sectors: Primarily targets environments running **Hyper-V** servers, suggesting a focus on IT infrastructure or organizations utilizing virtualization heavily.
- Geography: Not explicitly mentioned.
- Victims: No specific organizations mentioned, but the action targets organizations hosting Hyper-V environments.
## Tools & Infrastructure
- **Malware Families Used:** QWCrypt ('rbcw.exe') (Ransomware encryptor).
- **Infrastructure (C2, domains, IPs):** No specific C2 infrastructure, domains, or IPs were provided in the summary text.
## Implications
RedCurl's integration of ransomware into their toolkit signifies a major operational evolution, shifting from purely espionage/data exfiltration towards financially motivated disruption or monetization. This dual-capability makes them a more complex threat, raising questions about whether the ransomware is a primary goal, a false flag, a means of diversion for data theft, or a fallback monetization method when espionage clients fail to pay. Their preference for private negotiations over public data leaks (absence of a dedicated leak site) suggests a potentially silent approach to extortion.
## Mitigations
- Implement robust security monitoring and segmentation around Hyper-V hosts and virtual machines.
- Isolate critical network gateway VMs from potential widespread encryption activities by excluding them from broad access sweeps or implementing specific access controls.
- Maintain offline, immutable backups of critical data and VM images to ensure rapid recovery without ransom payment.
- Monitor for the deployment of QWCrypt or files appended with `.locked$` or `.randombits$`.