A sophisticated new ransomware strain called BQTLOCK has emerged since mid-July 2024, operating under a Ransomware-as-a-Service (RaaS) model that combines advanced evasion techniques with a commercial subscription approach.
Associated with ZerodayX, the alleged leader of the pro-Palestinian hacktivist group Liwaa Mohammed, this malware represents a concerning evolution in the cybercrime ecosystem where technical sophistication meets accessible criminal services.
Multi-Layered Evasion and Persistence Mechanisms
BQTLOCK employs an extensive arsenal of anti-analysis techniques designed to evade detection and complicate forensic investigation.
The malware utilizes string obfuscation, debugger detection through IsDebuggerPresent() API calls, and includes provisions for virtual machine evasion. However, current samples show this functionality may be selectively disabled based on subscription tiers.
The ransomware establishes persistence through multiple vectors, including the creation of a new administrative user “BQTLockAdmin” with the password “Password123!” and Windows Scheduled Tasks masquerading as legitimate system maintenance.
Process hollowing techniques target explorer.exe for stealthy payload execution, while the malware terminates security applications and disables Windows recovery mechanisms to prevent system restoration.
BQTLOCK’s encryption scheme follows industry-standard hybrid cryptography, implementing AES-256 encryption with RSA-4096 key protection.
The malware appends the .bqtlock extension to encrypted files and demands ransoms ranging from 13 to 40 Monero ($3,600 to $10,000) depending on the “wave” or subscription tier, with payments doubled after 48 hours and permanent key deletion threatened after seven days.
Commercial RaaS Operation and Recent Developments
The criminal enterprise offers three subscription tiers: Starter, Professional, and Enterprise with customizable features including ransom note modifications, wallpaper changes, C2 server configurations, and optional anti-analysis capabilities.
This commercial approach transforms sophisticated malware into an accessible service for affiliates without technical expertise.
Recent analysis of an August 2024 variant reveals significant capability enhancements, including UAC bypass techniques using CMSTP, fodhelper.exe, and eventvwr.exe methods.
The updated version incorporates credential harvesting from major browsers, including Chrome, Firefox, Edge, Opera, and Brave, expanding its data theft capabilities beyond file encryption.
ZerodayX has promoted BQTLOCK as “Fully Undetectable” (FUD) ransomware, though security researchers note questionable claims regarding antivirus evasion.
The group recently announced version 4 while simultaneously stating future updates have been discontinued, raising questions about rebranding strategies or exit scam potential. Their Telegram channel faced blocking, prompting temporary free service offers to maintain customer engagement.
This rapid development cycle and commercial marketing approach demonstrate how modern ransomware operations increasingly mirror legitimate software businesses, making BQTLOCK a significant threat requiring enhanced organizational security postures and updated detection capabilities.
IOCs
| Hash | Detection Name |
| 4E7434AC13001FE55474573AA5E9379D | Ransomware (005a7a3d1) |
| 7170292337A894CE9A58F5B2176DFEFC | Ransomware (005a7a3d1) |
| Ransomware Site | hxxp[:]//yywhylvqeqynzik6ibocb53o2nat7lmzn5ynjpar3stndzcgmy6dkgid[.]onion |
| X | hxxps[:]//x[.]com/Zerodayx1 |
| Telegram | hxxps[:]//t[.]me/BQTlock hxxps[:]//t[.]me/Fuch0u hxxps://t[.]me/BQTnet hxxps://t[.]me/BQTlock_raas |
| Crypto Wallet | 89RQN2EUmiX6vL7nTv3viqUAgbDpN4ab329zPCEgbceQJuS233uye4eXtYk3MXAtVoKNMmzgVrxXphLZbJPtearY7QVuApr |
| [email protected] |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
