{
	"id": "430408b9-d367-460e-80df-5d729265f569",
	"created_at": "2026-04-06T00:14:09.037653Z",
	"updated_at": "2026-04-10T03:21:30.90169Z",
	"deleted_at": null,
	"sha1_hash": "c7d0dacd5ab762e9b9da80750e0cf7b987035d2e",
	"title": "BleachGap Revamped",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4991912,
	"plain_text": "BleachGap Revamped\r\nPublished: 2022-08-25 · Archived: 2026-04-05 14:46:23 UTC\r\nBleachGap ransomware was first reported in Feb 2021 by a researcher named Petrovic on Twitter. This\r\nransomware variant that we have analysed was reported on Twitter in June 2022. This variant got us curious to\r\nget into the nuances of it because it was tagged as a stealer and all the code was compiled in a single executable\r\nthereby not needing any supporting .bat or PowerShell scripts to execute, most probably done for evasion and\r\nto be less noisy in comparison to the variant found  in 2021, which needed the supporting .bat and .exe that it\r\ndropped for execution.Though there are not many cases reported in the wild, this blog has been written to let the\r\ncyber community know that threat actors are modifying the attack techniques of this malware for a\r\npossible major attack that might be planned in the future. Lets now get into the details.\r\nWhy a Stealer?\r\nWhen this ransomware executes, the first step is to get the username and generate a Unique ID (UID) and\r\nPassword for that particular victim. By the first look, it seems it is stealing the password from the user but after\r\nmultiple executions we identified  that the password is different every time and after reversing the sample we\r\nfound that the ransomware is using a function (shown in Figure 1) to randomly generate the UID and the same\r\nfunction is being called again to generate the password which is always 32 byte long.\r\nhttps://labs.k7computing.com/index.php/bleachgap-revamped/\r\nPage 1 of 10\n\nFigure 1: Function used to generate random ID and Pass\r\nAfter generating the UID and Password, it gets the Username of the current user using the environment variable. It\r\nfirst moves the encoded bytes to memory which are already hardcoded in the executable and then decodes those to\r\nthe ‘username’ and then uses it as an argument to get environment variable data related to the username as shown\r\nin Figure 2.\r\nhttps://labs.k7computing.com/index.php/bleachgap-revamped/\r\nPage 2 of 10\n\nFigure 2: Getting username using environment variables\r\nInstead of hardcoding the useful strings into executables directly, so as to evade detection, this ransomware has\r\nused a similar method of moving encoded strings into memory and then decoding them at runtime for different\r\npurposes.We will see similar method being used later in this ransomware. After getting the Username, it forms a\r\nhuge string using the same method of decoding the encoded bytes which includes UID, Password, Username as\r\nshown in Figure 3.\r\nFigure 3: Large decoded string\r\nAfter further analysis we learn that this ransomware sends the large decoded string shown in Figure 3 as a Post\r\nrequest to the Discord Webhook API which has been highlighted in Figure 4 and 5.\r\nFIgure 4: Post request to Discord API\r\nhttps://labs.k7computing.com/index.php/bleachgap-revamped/\r\nPage 3 of 10\n\nFigure 5: Fakenet output for DNS and SSL connection\r\nDisabling Tools to Work\r\nAfter sending information to the Discord API, the ransomware tries to disable tools like command prompt (CMD),\r\nTask Manager and Registry Editor so that the user is not able to make changes and stop the ransomware execution.\r\nDisabling the mentioned tools happens with the help of the registry. Ransomware first copies the encoded registry\r\nkey into memory and then decodes the key using XOR loop and then does the same for key value and then calls\r\nthe function RegCreateKey using the decoded key and value as arguments. Figure 6 shows the encoded registry\r\nkey.\r\nhttps://labs.k7computing.com/index.php/bleachgap-revamped/\r\nPage 4 of 10\n\nFigure 6: Encoded Registry key\r\nFigure 7: Decoding encoded registry key\r\nhttps://labs.k7computing.com/index.php/bleachgap-revamped/\r\nPage 5 of 10\n\nFigure 8: Tools getting disabled\r\nAfter disabling the tools, the ransomware decodes the different folder names which includes Desktop, Documents,\r\nDownloads, Pictures, Music ,Public and adds it to the string C:\\Users\\%username% so that it can enumerate\r\nthese folders first and encrypt the files stored inside.\r\nFigure 9: Function adding folder names after decoding\r\nAfter getting all the folder names, the ransomware starts to enumerate them using FindFirstFileExW and\r\nFindNextFileW  and then uses ReadFile to read the existing file into a buffer for encryption.\r\nFigure 10: Using FindFirstFileExW\r\nFigure 11: Using FindNextFileW\r\nhttps://labs.k7computing.com/index.php/bleachgap-revamped/\r\nPage 6 of 10\n\nFigure 12: Using ReadFile to read ApkStudio.exe.lnk\r\nEncrypting Files\r\nWhen analysing the sample after ReadFile we observed that the sample doesn’t use any common encryption\r\nrelated Windows APIs like CryptAcquireContextA, CryptReleaseContext, CryptGenKey, CryptExportKey,\r\netc. On further digging, we found that the whole encryption routine is implemented inside the ransomware. We\r\nidentified  this when a hardware breakpoint on the randomly generated password (described at the start of the\r\nblog) was hit after the ReadFile API. There were some calculations happening with the password and some bytes\r\nwere also present in the .rdata section.\r\nhttps://labs.k7computing.com/index.php/bleachgap-revamped/\r\nPage 7 of 10\n\nFigure 13: Using AES S-block for key expansion\r\nAfter checking those prestored bytes we identified that it is an S-Block used in the AES Algorithm during the Key\r\nExpansion phase. So ransomware is using the AES algorithm to encrypt the files using the password (key) that\r\nwas randomly generated and sent to discord webhook. On further analysis, we got the functions which were\r\nresponsible for encrypting the file bytes and writing it to the memory 16 bytes at a time as in Figure 14 and Figure\r\n15.\r\nFigure 14: ApkStudio.exe.lnk File getting encrypted\r\nFigure 15: Encrypted File ApkStudio.exe.lnk\r\nRansomware creates a new file with the same name and writes the encrypted bytes into that file and then renames\r\nthe file with the extension PAY2DECRYPT+UID. After encrypting the files, it puts 100 ransom notes on the\r\nhttps://labs.k7computing.com/index.php/bleachgap-revamped/\r\nPage 8 of 10\n\nDesktop. This ransomware encrypts executables as well. It changes its own name to encrypted file extension but\r\nthe file remains as-is and not encrypted. \r\nFigure 16: 100 ransom notes on Desktop\r\nFigure 17: Ransom Note\r\nWe at K7 Labs provide detection for BleachGap ransomware and all the latest threats. Users are advised to use a\r\nreliable security product such as “K7 Total Security” and keep it up-to-date to safeguard their devices.\r\nIndicators of Compromise (IOCs)\r\nFile Name  Hash  Detection Name\r\nransomito.exe bfe289c6f91ffcda97c207f3c1c525a9 Riskware (00584baa1)\r\nReferences\r\nhttps://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions-aes\r\nhttps://labs.k7computing.com/index.php/bleachgap-revamped/\r\nPage 9 of 10\n\nhttps://twitter.com/Finch39487976/status/1533126802159304705\r\nhttps://www.reversingsecurity.com/blog/pay2decrypt-bleachgap-analysis\r\nSource: https://labs.k7computing.com/index.php/bleachgap-revamped/\r\nhttps://labs.k7computing.com/index.php/bleachgap-revamped/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/bleachgap-revamped/"
	],
	"report_names": [
		"bleachgap-revamped"
	],
	"threat_actors": [],
	"ts_created_at": 1775434449,
	"ts_updated_at": 1775791290,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c7d0dacd5ab762e9b9da80750e0cf7b987035d2e.pdf",
		"text": "https://archive.orkl.eu/c7d0dacd5ab762e9b9da80750e0cf7b987035d2e.txt",
		"img": "https://archive.orkl.eu/c7d0dacd5ab762e9b9da80750e0cf7b987035d2e.jpg"
	}
}