BQTLOCK Ransomware-as-a-Service Emerges, Boasting Sophisticated Evasion Tactics

Ransomware-as-a-Service (RaaS) models continue to democratize sophisticated attacks in the ever-changing world of cybercrime by allowing affiliates with little technical know-how to distribute ransomware through profit-sharing or subscription models.

A newly identified strain, BQTLock, has emerged since mid-July 2025, operating under this RaaS paradigm and marketed aggressively on dark web forums and Telegram channels.

Overview of the Emerging Threat

Linked to ZerodayX, the alleged leader of the pro-Palestinian hacktivist group Liwaa Mohammed previously associated with the Saudi games data breach BQTLock employs double extortion tactics, encrypting files with a .bqtlock extension and threatening data leaks if ransoms of 13 to 40 XMR (approximately $3,600 to $10,000) are not paid within 48 hours via Monero cryptocurrency.

Failure to comply doubles the demand, with keys deleted and data sold after seven days. Distributed as a ZIP archive containing Update.exe and supporting DLLs, the malware integrates anti-analysis measures like string obfuscation, debugger detection via IsDebuggerPresent(), and virtual machine evasion stubs, alongside mutex checks to prevent multiple instances.

BQTLock’s subscription tiers Starter, Professional, and Enterprise offer customizable features, including ransom note modifications, custom C2 servers, file extensions, and opt-in anti-debug/anti-VM capabilities.

Post-infection, it escalates privileges using SeDebugPrivilege and performs process hollowing into explorer.exe for stealth.

System reconnaissance gathers details like computer name, IP addresses, hardware IDs, and disk space, exfiltrated via Discord webhooks in JSON format, often accompanied by desktop screenshots saved as bqt_screenshot.png.

To hinder recovery, it disables Windows mechanisms through commands like vssadmin delete shadows and bcdedit /set recoveryenabled No, while terminating security processes via CreateToolhelp32Snapshot and TerminateProcess against a hardcoded list.

Persistence is achieved by scheduling tasks mimicking legitimate Microsoft entries, such as MicrosoftWindowsMaintenanceSystemHealthCheck, and altering desktop wallpapers and file icons via registry modifications and SHChangeNotify.

Advanced Techniques in Updated Variants

An updated BQTLock variant analyzed on August 5, 2025, intensifies evasion with enhanced anti-debugging (CheckRemoteDebuggerPresent(), OutputDebugString(), GetTickCount() for timing anomalies), UAC bypasses via CMSTP, fodhelper.exe, and eventvwr.exe through registry hijacking, and heavier code obfuscation.

It expands reconnaissance using WMI for hardware details, introduces credential theft from browsers like Chrome, Firefox, and Edge by accessing Login Data files and decrypting with keys from key4.db, and enables lateral movement by self-copying as bqtpayload.exe in %TEMP%.

Encryption follows a hybrid AES-256/RSA-4096 scheme, with random keys and IVs generated via RAND_bytes, appended to files after skipping system directories like Windows and Program Files to preserve stability.

According to the report, Post-encryption, self-deletion occurs via batch scripts, and event logs are cleared to erase traces.

Despite claims of being fully undetectable (FUD) on VirusTotal, samples appear corrupted and suspiciously uploaded from Lebanon, casting doubt on legitimacy.

Recent promotions highlight a Ransomware Builder V4 with extensive customizations, though updates have purportedly ceased after four versions in under a month, alongside a blocked Telegram channel and free service offers on new ones.

The group also launched BAQIYAT.osint, a paid tool for searching stolen data, underscoring a commercialized approach to ransomware.

Amid rising threats, deploying updated security solutions like K7 Total Security is essential for mitigation, emphasizing proactive CVE monitoring and threat intelligence.

Indicator of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!