{
	"id": "555facf5-7538-4615-bc40-991f2d81ddac",
	"created_at": "2026-04-06T00:22:21.617309Z",
	"updated_at": "2026-04-10T03:22:39.432456Z",
	"deleted_at": null,
	"sha1_hash": "c84a1054cea7fbfc49bec90425decbda08fa6c08",
	"title": "Emerging Ransomware BQTLock \u0026 GREENBLOOD Disrupt Businesses in Minutes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 95115,
	"plain_text": "Emerging Ransomware BQTLock \u0026 GREENBLOOD Disrupt\r\nBusinesses in Minutes\r\nBy ANY.RUN\r\nPublished: 2026-02-11 · Archived: 2026-04-05 23:03:48 UTC\r\nHow long would it take your team to realize ransomware is already running? \r\nThe newly identified ransomware families are already causing real business disruption. These threats can disrupt\r\noperations fast while also reducing visibility through stealth or cleanup activity, shrinking the time teams have\r\nto detect and contain the attack. \r\nHere’s what you should know about BQTLock and GREENBLOOD, and how your team can detect\r\nand contain them before the impact escalates. \r\nTL;DR  \r\nBQTLock is a stealthy ransomware-linked chain. It injects Remcos into explorer.exe, performs UAC\r\nbypass via fodhelper.exe, and sets autorun persistence to keep elevated access after reboot, then shifts\r\ninto credential theft / screen capture, turning the incident into both ransomware + data breach risk. \r\nGREENBLOOD is a Go-based ransomware built for rapid impact: ChaCha8-based encryption can disrupt\r\noperations in minutes, followed by self-deletion / cleanup attempts to reduce forensic visibility, plus TOR\r\nleak-site pressure to add extortion leverage beyond recovery. \r\nIn both cases, the critical window is pre-encryption / early execution: stealth setup (BQTLock) and fast\r\nencryption (GREENBLOOD) compress response time and raise cost fast. \r\nBehavior-first triage in ANY.RUN’s Interactive Sandbox lets teams confirm key actions (process injection,\r\nUAC bypass, persistence, encryption, self-delete) during execution, extract IOCs immediately, and pivot\r\ninto Threat Intelligence Lookup (e.g., commandLine:”greenblood”) to find related runs/variants and harden\r\ndetections faster. \r\nBQTLock: A Stealth Attack That Escalates into Data Theft and Business Risk \r\nOriginal post on LinkedIn\r\nBQTLock is a ransomware-linked threat designed to hide in normal system activity, gain elevated privileges, and\r\nquietly prepare for deeper impact before defenders can react. \r\nInstead of triggering obvious alerts immediately, it blends into trusted Windows processes and delays visible\r\ndamage. This makes early detection difficult and increases the chance of data exposure, operational\r\ndisruption, and financial loss for affected organizations. \r\nhttps://any.run/cybersecurity-blog/emerging-ransomware-bqtlock-greenblood/\r\nPage 1 of 7\n\nHow the Attack Was Revealed Through Behavioral Analysis \r\nUsing the ANY.RUN interactive sandbox, analysts were able to observe the full behavioral chain in real time. \r\nSee full execution chain of BQTLock\r\nBQTLock ransomware analysis\r\nBQTLock attack fully exposed inside ANY.RUN sandbox \r\nThe analysis revealed that the malware: \r\nInjects the Remcos payload into explorer.exe to remain hidden inside legitimate system activity \r\nPerforms a UAC bypass via fodhelper.exe to obtain elevated privileges \r\nEstablishes autorun persistence to survive system restarts with higher access rights \r\nOnce privilege escalation is complete, the threat moves beyond stealth and into active harm, including: \r\ndata theft capabilities that increase breach severity \r\nscreen capture activity that may expose sensitive corporate information \r\nCredentials stealing by BQTLock\r\nCredentials stealing by BQTLock discovered by ANY.RUN\r\nThis sequence shows how quickly a seemingly quiet infection can evolve into a full security and compliance\r\nincident. \r\nGREENBLOOD: Fast Encryption, Evidence Removal, and Immediate Business\r\nExposure \r\nOriginal post on LinkedIn\r\nGREENBLOOD is a newly observed Go-based ransomware built for speed, stealth, and pressure. \r\nRather than relying only on encryption, it combines rapid file locking, self-deletion to reduce forensic\r\nvisibility, and data-leak threats through a TOR-based site. \r\nThis transforms a technical incident into a full business crisis involving downtime, regulatory exposure,\r\nreputational damage, and recovery cost. \r\nFor organizations, the biggest risk is timing. By the moment encryption becomes visible, sensitive data may\r\nalready be stolen and operational disruption already underway. \r\nHow the Attack Was Uncovered During Real-Time Detection and Triage \r\nInside the ANY.RUN interactive sandbox, ransomware behavior and cleanup activity became visible while\r\nexecution was still unfolding, allowing early detection during the most critical stage of the attack. \r\nhttps://any.run/cybersecurity-blog/emerging-ransomware-bqtlock-greenblood/\r\nPage 2 of 7\n\nCheck full attack chain of GREENBLOOD \r\nGREENBLOOD exposed inside ANY.RUN sandbox in around 1 minute\r\nThe sandbox analysis exposed: \r\nFast ChaCha8-based encryption capable of disrupting operations within minutes \r\nAttempts to delete the executable, limiting post-incident forensic visibility \r\nActionable indicators of compromise that enable earlier detection across endpoints and environments \r\nBecause this behavior is captured in real time, SOC teams can move directly from detection to\r\ntriage and containment before encryption spreads widely. \r\nUsing ANY.RUN Threat Intelligence, teams can search for other sandbox analyses related to GREENBLOOD and\r\ntrack how the threat appears across different environments. A simple query like helps uncover related executions,\r\nrecurring patterns, and potential variants that may not match the exact same sample. \r\nUse this query link to explore related activity: commandLine:”greenblood” \r\nSandbox analyses related to GREENBLOOD\r\nSandbox analyses related to GREENBLOOD displayed by TI Lookup for deeper investigation \r\nThis is valuable as ANY.RUN Threat Intelligence is connected to real sandbox activity from 15,000+\r\norganizations and 600,000+ security professionals. In practice, that means you can use community-scale\r\nexecution evidence to strengthen detections faster, tune response playbooks, and stay ahead as ransomware\r\nchanges. \r\nHow These Ransomware Attacks Impact Businesses \r\nhttps://any.run/cybersecurity-blog/emerging-ransomware-bqtlock-greenblood/\r\nPage 3 of 7\n\nBQTLock and GREENBLOOD may use different techniques, but they point to the same operational reality:\r\nmodern ransomware is designed to create maximum business damage in the shortest possible time. \r\nInstead of slow, visible attacks, today’s ransomware combines stealth, speed, privilege escalation, and data-leak\r\npressure to overwhelm traditional response workflows before containment begins.\r\nBusiness risk  BQTLock  GREENBLOOD \r\nData exposure risk \r\nData theft + screen capture after\r\nescalation \r\nLeak-site pressure adds exposure risk\r\n(even post-recovery) \r\nDowntime risk  Can escalate after stealth phase  Fast encryption (ChaCha8) \r\nHarder to spot early \r\nHides in normal processes +\r\npersistence \r\nCleanup/self-deletion attempts \r\nExtortion pressure  Can intensify if stolen data is used  TOR leak-site threats \r\nShort response window,\r\nhigher cost \r\nStealth setup compresses reaction\r\ntime \r\nFast encryption compresses reaction time \r\nFor most companies, the fallout comes in a few predictable ways: \r\nData theft before encryption: After privilege escalation, BQTLock moves into data theft and screen\r\ncapture, turning ransomware into a breach and compliance issue. \r\nDisruption in minutes: GREENBLOOD encrypts fast, which can cause rapid downtime and immediate\r\noperational impact. \r\nStealth and cleanup slow response: BQTLock hides in normal processes and persists with elevated rights,\r\nwhile GREENBLOOD attempts self-deletion, reducing visibility and increasing recovery cost. \r\nExtortion pressure beyond recovery: GREENBLOOD includes leak-site threats via a TOR-based\r\nplatform. That adds a second layer of pressure: even if systems are restored, the business may still face data\r\nexposure, compliance issues, and long-term brand damage. \r\nShort response window, higher cost: Between stealth setup and fast encryption, delays quickly translate\r\ninto bigger financial damage. \r\nHow SOC Teams Can Detect and Contain Modern Ransomware Before It Spreads \r\nStealthy privilege escalation, rapid encryption, and leak-site extortion leave security teams with very little time to\r\nreact. \r\nTo stop ransomware before it reaches full business impact, SOC teams need an operational cycle that moves from\r\nearly detection → confirmed behavior → broader visibility → proactive defense in minutes,\r\nwithout any complicated steps and setups. \r\nhttps://any.run/cybersecurity-blog/emerging-ransomware-bqtlock-greenblood/\r\nPage 4 of 7\n\nWith ANY.RUN, this cycle happens inside a single connected workflow, allowing teams to shift from late\r\nresponse to early containment. \r\n1. Confirm Ransomware Behavior Before Encryption Spreads \r\nThe first and most critical step is safe behavioral detonation. \r\nRansomware like BQTLock hides inside trusted processes and escalates privileges\r\nquietly. GREENBLOOD encrypts files quickly and attempts to remove traces. \r\nRunning suspicious files or links inside ANY.RUN’s controlled environment exposes: \r\nprivilege escalation attempts \r\npersistence mechanisms \r\nencryption activity \r\ndata theft or screen capture behavior \r\nEncryption activity performed by GREENBLOOD\r\nEncryption activity performed by GREENBLOOD revealed inside ANY.RUN sandbox \r\nAs this visibility appears during execution, teams can reach a clear verdict in seconds instead of discovering the\r\nattack after downtime begins. \r\nThis early proof translates directly into operational gains, with 94% of teams reporting faster triage, Tier-1 to\r\nTier-2 escalations reduced by up to 30%, and MTTR shortened by an average of 21 minutes per case,\r\nhelping contain ransomware before downtime and financial impact grow. \r\n2. Expand Investigation Using Real-World Threat Intelligence \r\nStopping a single sample is not enough if the campaign continues elsewhere. \r\nIndicators extracted from sandbox analysis can be used to search across ANY.RUN Threat Intelligence, revealing: \r\nrelated ransomware executions \r\nreused infrastructure or tooling \r\nemerging variants and evolving tactics \r\nThe payoff is earlier campaign-level detection and clearer evidence for decision-making, which lowers breach\r\nexposure, strengthens compliance readiness, and reduces the business impact of repeat attacks. \r\n3. Strengthen Prevention and Reduce Future Incident Cost \r\nThe final step is turning investigation insight into ongoing protection. \r\nhttps://any.run/cybersecurity-blog/emerging-ransomware-bqtlock-greenblood/\r\nPage 5 of 7\n\nFresh indicators and behavioral signals can flow directly into your existing stack through ANY.RUN TI Feeds,\r\nkeeping detections current without manual copy-paste or constant rule rewrites. This helps teams block repeat\r\nattempts faster and react to shifting ransomware infrastructure as it changes. \r\nTI Feeds delivering fresh IOCs\r\nTI Feeds delivering fresh IOCs to your existing stack for proactive monitoring  \r\nThis ongoing flow shifts teams from reactive detection to proactive monitoring, so attacks are discovered\r\nearlier and contained with less business impact. \r\nAbout ANY.RUN \r\nANY.RUN is part of modern SOC workflows, integrating easily into existing processes and strengthening the\r\nentire operational cycle across Tier 1, Tier 2, and Tier 3. \r\nIt supports every stage of investigation, from exposing real behavior during safe detonation, to enriching analysis\r\nwith broader threat context, and delivering continuous intelligence that helps teams move faster and make\r\nconfident decisions. \r\nToday, more than 600,000 security professionals and 15,000 organizations rely on ANY.RUN to accelerate triage,\r\nreduce unnecessary escalations, and stay ahead of evolving phishing and malware campaigns. \r\nTo stay informed about newly discovered threats and real-world attack analysis, follow ANY.RUN’s team\r\non LinkedIn and X, where weekly updates highlight the latest research, detections, and investigation insights. \r\nFrequently Asked Questions\r\nWhat makes BQTLock and GREENBLOOD different from traditional ransomware?\r\nBoth strains prioritize early stealth and rapid operational impact rather than delayed, obvious encryption.\r\nBQTLock focuses on covert privilege escalation, persistence, and data theft before encryption, while\r\nGREENBLOOD delivers fast ChaCha8 encryption, self-deletion, and leak-site extortion, compressing the\r\nresponse window to minutes.\r\nWhy is the pre-encryption stage critical for detection? \r\nModern ransomware often causes business damage before files are encrypted. Activities like process injection,\r\nUAC bypass, credential theft, and data exfiltration signal compromise early. Detecting these behaviors during\r\nexecution enables containment before downtime, breach disclosure, or financial loss escalate.\r\nHow does GREENBLOOD achieve such fast disruption?\r\nGREENBLOOD is Go-based and uses ChaCha8 encryption, allowing it to lock files quickly across the system. It\r\nalso attempts self-deletion and cleanup, which reduces forensic visibility and increases recovery complexity while\r\napplying TOR-based leak pressure on victims.\r\nWhat indicators should SOC teams monitor for BQTLock activity? \r\nhttps://any.run/cybersecurity-blog/emerging-ransomware-bqtlock-greenblood/\r\nPage 6 of 7\n\nKey signals include Remcos injection into explorer.exe, UAC bypass via fodhelper.exe, autorun persistence\r\ncreation, and post-escalation credential theft or screen capture. These behaviors indicatethe attack is transitioning\r\nfrom stealth access to active breach risk.\r\nHow can security teams confirm ransomware behavior faster? \r\nRunning suspicious files or links in a controlled behavioral sandbox allows teams to observe privilege escalation,\r\npersistence, encryption, and cleanup actions in real time, extract IOCs immediately, and begin containment and\r\nhunting before the attack spreads.\r\nHow does threat intelligence help reduce repeat incidents? \r\nLinking sandbox-derived indicators to broader execution telemetry reveals related samples, reused\r\ninfrastructure, and evolving variants. Feeding this intelligence into detection controls supports earlier blocking,\r\nstronger prevention, and lower long-term incident cost.\r\nSource: https://any.run/cybersecurity-blog/emerging-ransomware-bqtlock-greenblood/\r\nhttps://any.run/cybersecurity-blog/emerging-ransomware-bqtlock-greenblood/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://any.run/cybersecurity-blog/emerging-ransomware-bqtlock-greenblood/"
	],
	"report_names": [
		"emerging-ransomware-bqtlock-greenblood"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434941,
	"ts_updated_at": 1775791359,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c84a1054cea7fbfc49bec90425decbda08fa6c08.pdf",
		"text": "https://archive.orkl.eu/c84a1054cea7fbfc49bec90425decbda08fa6c08.txt",
		"img": "https://archive.orkl.eu/c84a1054cea7fbfc49bec90425decbda08fa6c08.jpg"
	}
}