Summary: The Russian-speaking hacking group RedCurl has been identified for the first time as launching a ransomware campaign using a new strain named QWCrypt. Historically known for corporate espionage attacks, RedCurl’s latest activities include sophisticated social engineering tactics to deploy malware and encrypt virtual machines, severely disrupting their targets. Analysts suggest this shift in tactics may signify an intention to maximize damage with less effort.
Affected: Organizations in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States
Keypoints :
- RedCurl has initiated a ransomware campaign, marking a significant change in their usual modus operandi.
- The group’s attack sequence utilizes social engineering, disguising malware within documents to mislead victims.
- The newly introduced ransomware employs tactics like the bring your own vulnerable driver (BYOVD) technique and shows similarities to ransom notes from other groups such as LockBit.
Source: https://thehackernews.com/2025/03/redcurl-shifts-from-espionage-to.html