A group of mercenary hackers is now using ransomware to attack businesses. They were once known for stealing company secrets in secretive cyberespionage operations. Cybersecurity experts call this group RedCurl.
Stealthy Hackers Now Deploy Ransomware to Paralyze Companies
Recently, RedCurl has been caught launching targeted attacks on company servers. Their goal is to cripple virtual machines (VMs). These VMs run important services. By taking them down, the hackers can paralyze entire networks.
A report by cybersecurity firm Bitdefender says that RedCurl has expanded its operations. The group is also known as Earth Kapre and Red Wolf.
In the past, they stole sensitive company data. Now, they are using a new and dangerous form of ransomware to lock entire networks.
The ransomware, called QWCrypt, is unlike anything seen before. It was found last month during an attack on a North American company. Bitdefender researchers say QWCrypt targets hypervisors. These are powerful servers that control many virtual machines (VMs). By attacking them, the hackers can shut down entire networks with one strike.
How the Attack Works: From Phishing to Full-Blown Ransomware
RedCurl’s attacks usually start with a phishing email. This is an online scam that tricks people into opening fake links or files. When they click, the malware installs a secret program. This program gives the hackers access to the company’s network.
From there, RedCurl moves through the system carefully. They map the network and find the most valuable targets. Unlike other ransomware groups, RedCurl does not lock every computer. They focus only on hypervisors. This lets them take down entire virtual networks without attacking each machine.
This attack is especially dangerous because of its precision. The hackers mapped the entire network before they struck. Their scripts included specific machine names. They avoided hypervisors that worked as network gateways.
Cyberattack Catastrophe: How Hackers Can Endanger Human Lives ?
This kept the company’s main internet access running. It also hid the attack from employees while shutting down the IT system.
After encrypting the hypervisors, the hackers left a ransom note. They demanded payment from the victims.The note told victims to email the group at edgypsin@proton.me. This was to negotiate a ransom for the decryption key.
However, the note seemed copied from other ransomware groups, like LockBit, HardBit, and Mimic. This made experts question RedCurl’s real goal. They wonder if the ransom demand is fake and meant to distract from RedCurl’s spying.
Why RedCurl’s Shift Is Alarming
RedCurl has been active since 2018. They were known for quiet, secret spying on companies and stole sensitive business data, often using phishing emails. They did this without leaving any trace. Their victims included companies in Canada, Germany, Norway, Ukraine, Russia, and the UK.
Their new method is alarming because it is so effective. By encrypting hypervisors, they can shut down many virtual machines at once. This can stop an entire company’s operations. Only the IT team may notice the attack at first, making it harder to detect.
There is no leak site linked to this ransomware, which is suspicious. Most ransomware groups have websites on the dark web. They use these sites to threaten victims with stolen data leaks. RedCurl, however, has no such site. This makes experts suspect a trick. They think the ransom notes may be fake to confuse investigators. The real goal could still be stealing data.
It is unclear how many companies RedCurl has attacked with ransomware. However, their shift from spying to ransomware is alarming. It shows that mercenary hackers are now using ransomware to cripple entire businesses.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
