A recently identified ransomware variant has surfaced in the cyber threat ecosystem, operating under the Ransomware-as-a-Service (RaaS) framework. Known as Bqtlock, this strain is linked to the pro-Palestinian hacktivist collective Liwaa Mohammed and its leader ZerodayX. The malware is typically delivered through ZIP archives containing the malicious payload and incorporates advanced anti-analysis mechanisms to hinder detection. Bqtlock leverages a double-extortion strategy, demanding Monero payments and threatening to increase the ransom amount or sell stolen data if victims fail to respond within 48 hours.
The ransomware offers a subscription-based model with customizable features, appealing to a wide range of cybercriminals. Its tactics include process hollowing, privilege escalation, and system reconnaissance to expand its reach and maintain persistence.
The Ransomware-as-a-Service (RaaS) business model continues to expand within the cybercriminal ecosystem, enabling ransomware creators to rent or lease their malicious platforms to affiliates through subscription packages or revenue-sharing models. This approach allows individuals with minimal technical expertise to launch ransomware attacks, while the core operators handle the complex aspects such as payload generation, encryption algorithms, victim negotiation portals, and automated cryptocurrency transactions. The ransomware variant, identified as Bqtlock, surfaced in mid-July 2025 and exemplifies this evolving trend. The malware has been linked to the hacktivist group Liwaa Mohammed and its known affiliate ZerodayX, who previously gained attention for a significant Saudi gaming data breach.
Delivery and Execution:
Bqtlock is primarily delivered as a compressed ZIP archive containing a malicious executable named Update.exe, accompanied by auxiliary files. Upon execution, it encrypts local data across multiple file types, appends a custom “.bqtlock” extension, and generates a ransom note with detailed payment instructions. The operators employ a double extortion model, demanding between 13 and 40 Monero (XMR)—approximately $3,600 to $10,000—while threatening to permanently delete decryption keys and leak stolen data online if victims fail to make contact within 48 hours.
Affiliate Model and Customization:
The Bqtlock platform supports a tiered subscription structure, offering Starter, Professional, and Enterprise plans. These options allow affiliates to customize multiple aspects of the attack, including ransom note text, encrypted file extensions, desktop wallpapers, and even command-and-control (C2) endpoints. Higher-tier subscribers gain access to additional anti-analysis features such as anti-debugging modules, virtual machine detection, and automated self-deletion of the ransomware binary to reduce forensic traces.
Anti-Analysis and Evasion Techniques:
Bqtlock integrates advanced mechanisms to evade detection and hinder analysis efforts. It utilizes string obfuscation and multiple debugger detection checks, including calls to IsDebuggerPresent(), to identify sandbox environments and analysis tools. Although virtual machine detection routines exist within the code, they are currently inactive, suggesting that the feature may be under development. The malware also employs a mutex creation process to ensure a single active instance and performs privilege escalation by enabling SeDebugPrivilege, allowing it to inject malicious code into system processes like explorer.exe through process hollowing techniques.
Reconnaissance and Persistence:
Once deployed, Bqtlock conducts thorough reconnaissance of the compromised system, gathering details such as the computer name, hostname, IP addresses, hardware identifiers, and storage capacity. To maintain persistence, it creates a local administrator account labeled BQTLockAdmin and schedules a task named Microsoft\Windows\Maintenance\SystemHealthCheck for continued access. For data exfiltration, the ransomware leverages Discord webhooks to transmit JSON-formatted information, including screenshots of the victim’s desktop, while simultaneously logging its activities locally. Additionally, the malware disables Windows recovery tools and terminates interfering processes to ensure uninterrupted encryption of targeted files.
Encryption Methods:
Bqtlock employs a hybrid cryptographic approach to secure victim data. It uses AES-256 to encrypt file contents and then applies RSA-4096 to protect the encryption keys. To avoid rendering systems inoperable, the ransomware skips critical directories during encryption and focuses on files under a specified size limit. After completing the encryption process, Bqtlock can execute a self-deletion routine via ShellExecuteA, effectively removing evidence of the infection and complicating post-incident forensic analysis.
Recent Developments (August 2025 Update):
A new and more advanced version of Bqtlock, observed in early August 2025, demonstrates the group’s ongoing development and operational sophistication. The updated variant introduces enhanced obfuscation and a broader range of anti-debugging techniques, including CheckRemoteDebuggerPresent(), OutputDebugString(), and GetTickCount(), designed to detect anomalies caused by analysis environments. It also integrates User Account Control (UAC) bypasses through tools such as CMSTP, fodhelper.exe, and eventvwr.exe, enabling elevated execution without user prompts. Furthermore, the ransomware now supports WMI-based hardware queries, more efficient lateral movement through %TEMP% directory payload execution, and a credential theft module capable of extracting stored browser credentials from Chrome, Firefox, Edge, Opera, and Brave, including decrypted secure storage data.
Threat Actor Behavior:
Despite promotional claims that Bqtlock is fully undetectable (FUD), independent investigations identified flaws such as corrupted ISO payloads and limited submissions to VirusTotal, mostly from Lebanon. The operators remain highly active on social media and underground forums, advertising:
This reflects the commercialization of ransomware campaigns, transforming them from isolated attacks into full-scale service offerings.
Conclusion:
The Bqtlock ransomware represents a rapidly evolving threat in the cybercrime ecosystem, combining advanced evasion techniques with a commercialized RaaS model that lowers the barrier for affiliates. Its continual enhancements, such as credential theft and UAC bypasses, highlight a clear focus on sophistication and scalability. Active promotion across underground forums further amplifies its reach, making it a significant risk to organizations worldwide. Proactive defenses, continuous monitoring, and strong backup strategies are critical to mitigating the impact of this growing threat.
Bqtlock presents significant threats to organizations, ranging from the encryption and potential loss of critical data to the exposure of sensitive information through double-extortion tactics. Its ability to disrupt operations by halting key processes and altering system configurations further amplifies the impact, while its credential theft features heighten the risk of subsequent intrusions. Beyond operational downtime, organizations face considerable financial strain from ransom demands and recovery efforts, coupled with potential reputational harm caused by public data leaks.
https://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/
