Summary: RedCurl, a Russian-speaking threat actor, has shifted tactics by deploying a new ransomware called QWCrypt, primarily targeting virtual machines. This marks a notable change from its previous focus on corporate espionage since 2018. The group uses phishing methods for initial access while maintaining a low profile and avoiding public ransom demands.
Affected: Organizations across the US, Germany, Spain, and Mexico
Keypoints :
- RedCurl has transitioned to using QWCrypt ransomware, specifically targeting hypervisors.
- The group’s initial access relies on phony CV phishing emails containing harmful executable files.
- No evidence suggests data stolen by RedCurl is used for extortion, implying they may operate as a ‘gun-for-hire’ group.
- Maintaining operational secrecy, they engage in discreet negotiations without visible ransom demands.
- RedCurl’s motivations and operational model remain unclear as it continues to operate since 2018.
Source: https://www.securityweek.com/russian-espionage-group-using-ransomware-in-attacks/