Hyper-V virtual machines have been targeted by Russian cyberespionage group RedCurl with its new QWCrypt ransomware, marking the operation's initial foray into ransomware, BleepingComputer reports.
Malicious emails with CV-spoofing IMG attachments that contain a screensaver file facilitate payload sideloading and persistence before RedCurl proceeds with the distribution of a custom wmiexec variant and Chisel tool for lateral movement and tunneling/remote desktop protocol access, respectively, the deactivation of security defenses, and the eventual delivery of the QWCrypt ransomware, according to findings from Bitdefender Labs researchers. Further analysis of QWCrypt showed its extensive command-line argument support that could exclude network gateway-serving VMs and enable intermittent encryption. RedCrul's integration of ransomware may indicate its operations as a third-party provider to other threat actors or a bid into covertly strengthening its income streams, noted Bitdefender. "The RedCurl group's recent deployment of ransomware marks a significant evolution in their tactics. This departure from their established modus operandi raises critical questions about their motivations and operational objectives," said Bitdefender.
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Cybernews reports that BreachForums had its planned revival last week purportedly hindered by a zero-day intrusion against the outdated MyBB forum software used by the BreachForums[.]st site then owned by "Anastasia."
Hitachi Vantara the IT service management subsidiary of Japanese mutinational conglomerate Hitachi that counts T-Mobile, BMW, and China Telecom among its clientele had its servers taken down following a cyberattack over the weekend, which has been attributed to the Akira ransomware gang, BleepingComputer reports.
Urban One, a U.S. media conglomerate focused on the African American community, has disclosed having its employees' personal data and other corporate information exfiltrated in a "sophisticated social engineering campaign" in February, which was claimed by the Cactus ransomware operation last month, reports The Record, a news site by cybersecurity firm Recorded Future.
