Security researchers have uncovered a new Ransomware-as-a-Service (RaaS) strain named BQTLOCK that is actively targeting Windows users through Telegram channels and dark web forums. Since mid-July, affiliates of the service have been distributing a ZIP archive containing a malicious executable that encrypts a wide range of file types, appends a custom “.bqtlock” extension, and deletes system backups to prevent recovery.
BQTLOCK incorporates multiple anti-analysis measures to evade detection. The malware uses string obfuscation, debugger checks via IsDebuggerPresent and CheckRemoteDebuggerPresent, and stubs for virtual machine evasion.
Once executed, the file Update.exe iterates through the filesystem—excluding Windows system directories—and encrypts files under 50 MB using AES-256 for file content and RSA-4096 to protect the AES key and initialization vector.
Victims receive a ransom note demanding payment in Monero within 48 hours, under threat of doubling the fee and permanently erasing decryption keys if contact is not made.
Encrypted files are renamed with the “.bqtlock” extension, and a ransom note is dropped in each directory.
The note instructs victims to contact the attackers via Telegram or X (formerly Twitter) within 48 hours to pay 13 to 40 XMR (approximately $3,600 to $10,000). Failure to respond results in a doubled ransom, and after seven days, the attackers delete the decryption keys and threaten to publish stolen data.
BQTLOCK Ransomware
Upon execution, BQTLOCK performs a series of reconnaissance and privilege escalation steps. It gathers system information—including host name, user name, hardware ID, and public IP address via icanhazip.com—and exfiltrates this data through a Discord webhook.
The malware attempts to enable SeDebugPrivilege and employs UAC bypass techniques using CMSTP, fodhelper.exe, and eventvwr.exe to gain elevated privileges without user interaction.
It creates a new local administrator account named “BQTLockAdmin” and injects its code into explorer.exe via process hollowing to maintain stealth.
BQTLOCK also terminates antivirus and backup services by enumerating running processes using CreateToolhelp32Snapshot and forcibly terminating targeted processes.
To ensure long-term persistence, it registers a scheduled task under MicrosoftWindowsMaintenanceSystemHealthCheck, sets a custom wallpaper, and modifies file icons by updating registry keys under HKEY_CLASSES_ROOT.
RaaS Subscription Options
The BQTLOCK RaaS offers three subscription tiers—Starter, Professional, and Enterprise—with configurable ransom note details, wallpaper image, icon, file extensions, and optional anti-analysis features.
Affiliates can tailor payloads without coding experience, simply by adjusting settings in the ransomware builder interface.
A version 4 builder released in August added new anti-debug checks using OutputDebugString and GetTickCount, enhanced code obfuscation, UAC bypass methods, and credential-stealing modules targeting stored passwords from Chrome, Firefox, Edge, Opera, and Brave.
This variant abuses WMI queries to harvest hardware details, drops a batch script for self-deletion, clears event logs, and self-copies to the %TEMP% directory for lateral movement.
ZeroDayX, the alleged leader behind the group, claims BQTLOCK is fully undetectable by antivirus vendors. However, analysis revealed a corrupted ISO sample and limited submissions on VirusTotal, suggesting these claims are misleading.
Post-recon, the ransomware attempts to establish persistent administrative access by creating a new local user ”BQTLockAdmin” with the password “Password123!”, through the NetUserAdd API.
Despite a block on their original Telegram channel, the operators reopened under a new channel and even offered free access for three days to entice new affiliates. They also launched “BAQIYAT.osint,” a paid platform for searching stolen data.
With ransomware attacks on the rise, organizations and individuals must maintain up-to-date antivirus defenses, employ robust backup strategies—preferably offline or immutable—and monitor for suspicious scheduled tasks and new administrative accounts.
Solutions such as K7 Total Security can provide an additional layer of protection against emergent threats like BQTLOCK.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Source link
