Two advanced ransomware variants, known as BQTLock and GREENBLOOD, have recently appeared on the cybersecurity scene. These malicious software families employ differing tactics to disrupt businesses and extort victims, marking a significant shift in ransomware strategies.
Ransomware Tactics and Strategies
Traditional ransomware attacks typically involve immediate encryption upon infection. However, BQTLock and GREENBLOOD have introduced a new level of sophistication. BQTLock focuses on stealth and intelligence gathering, transforming initial infections into potential data breaches before locking files. In contrast, GREENBLOOD is designed for rapid action, utilizing the Go programming language to encrypt systems and erase forensic evidence shortly after execution.
Operational Differences and Impacts
These ransomware strains differ significantly in their operational approaches. BQTLock acts as a covert surveillance tool initially, embedding itself within legitimate processes to avoid detection and exfiltrate sensitive information. GREENBLOOD, on the other hand, employs a swift ‘smash and grab’ method, using ChaCha8 encryption to quickly incapacitate networks and leverage pressure through a TOR-based leak site.
Any.Run analysts have observed these differing behaviors in sandbox environments, emphasizing the importance of early detection. Effective containment requires identifying the attack before encryption takes place, as seen in the real-time behavioral chains captured by the ANY.RUN interactive sandbox.
Technical Sophistication of BQTLock
BQTLock is notable for its complex infection chain designed to circumvent standard security measures. Instead of immediately demanding ransom, it injects a Remcos payload into explorer.exe, a critical Windows process, to evade detection by antivirus tools. By blending in with normal system activity, it can navigate the network undetected, escalating privileges for further exploitation.
The malware uses a User Account Control (UAC) bypass through fodhelper.exe to gain administrative rights without user intervention, ensuring persistent access even after system reboots. This entrenched access facilitates the secondary phase of the attack, which involves stealing credentials and screen captures for extortion purposes.
Security professionals are advised to prioritize behavioral monitoring over static file signatures. Detecting interactions between explorer.exe and fodhelper.exe can serve as a critical alert for this malware. Keeping threat intelligence feeds updated with the latest command-line arguments and infrastructure details of these ransomware types is essential to prevent recurring infections.
By leveraging tools like ANY.RUN, organizations can proactively detect and mitigate threats posed by these sophisticated ransomware families.
