Two sophisticated ransomware families, BQTLock and GREENBLOOD, have surfaced in the cybersecurity landscape, utilizing contrasting strategies to disrupt business operations and extort victims.
While typical ransomware attacks often follow a predictable pattern of immediate encryption, these new strains demonstrate a dangerous evolution in tactic.
BQTLock prioritizes stealth and espionage, effectively turning the initial infection into a data breach risk before any files are locked.
Conversely, GREENBLOOD is engineered for pure speed, leveraging the Go programming language to encrypt systems and delete forensic evidence within minutes of execution.
The attack vectors for these threats differ significantly in their operational goals.
BQTLock operates much like a covert surveillance tool during its early stages, embedding itself deep within legitimate system processes to avoid triggering security alarms.
This allows threat actors to maintain long-term access and harvest sensitive information without immediate detection.
In contrast, GREENBLOOD adopts a “smash and grab” approach, utilizing fast ChaCha8 encryption to paralyze networks instantly while simultaneously applying pressure through a TOR-based leak site.
This duality presents a complex challenge for defenders, who must now account for both slow-burning espionage and high-velocity destruction simultaneously.
Any.Run analysts identified these distinct behaviors during recent sandbox sessions, noting that effective containment requires spotting the attack before encryption occurs.
Using the ANY.RUN interactive sandbox, analysts were able to observe the full behavioral chain in real time See full execution chain of BQTLock
.webp)
Inside the ANY.RUN interactive sandbox, ransomware behavior and cleanup activity became visible while execution was still unfolding, allowing early detection during the most critical stage of the attack.
Their research highlights that early behavioral indicators—such as unexpected process injections or rapid file modifications—are often the only warning signs available before significant damage is done Check full attack chain of GREENBLOOD
.webp)
By observing these chains in a controlled environment, security teams can pivot from reactive recovery to proactive containment, stopping the threat before it establishes a foothold.
BQTLock’s Evasion and Persistence Mechanisms
BQTLock distinguishes itself through a highly technical infection chain designed to bypass standard defenses. Upon execution, the malware does not immediately ransom the device.
Instead, it injects a Remcos payload directly into explorer.exe, a core Windows process.
This technique allows the malicious code to masquerade as legitimate system activity, effectively blinding traditional antivirus tools that trust standard operating system processes.
By hiding in plain sight, the attackers can navigate the network and escalate their privileges without raising flags.
To ensure it retains control over the compromised machine, BQTLock performs a User Account Control (UAC) bypass using fodhelper.exe.
This specific maneuver grants the malware elevated administrative rights without prompting the user for permission.
Once elevated, it establishes autorun persistence, ensuring that the malicious access survives system reboots.
This level of entrenched access allows the attackers to transition into their secondary phase: stealing credentials and capturing screens to maximize leverage for extortion.
Faster detection and lower incident risk. Uncover stealthy ransomware early with ANY.RUN Integrate in your SOC
.webp)
Security professionals are advised to focus on behavioral monitoring rather than just static file signatures.
Detecting the specific interaction between explorer.exe and fodhelper.exe can serve as a high-fidelity alert for this strain.
.webp)
Furthermore, organizations should ensure that their threat intelligence feeds are updated to recognize the unique command-line arguments and infrastructure associated with these new families to prevent repeat infections.
Free malware research with ANY.RUN Start Now!
