BQTLock: A New Ransomware-as-a-Service Operation Blending Marketing and Malware

A new ransomware strain has entered the cybercrime marketplace, blending technical sophistication with aggressive marketing. Researchers at K7 Security Labs have uncovered BQTLock, a Ransomware-as-a-Service (RaaS) operation that has been making waves on dark web forums and Telegram since mid-July 2025.

According to the report, “Ransomware-as-a-Service (RaaS), marketed on dark web forums or Telegram channels, is a growing model in the cybercrime ecosystem where ransomware developers offer their malicious tools and infrastructure to affiliates in a subscription model or a profit share.”

This model lowers the bar for cybercriminals. Even affiliates with no coding experience can launch ransomware campaigns, relying on pre-built payloads, encryption mechanisms, and cryptocurrency-based payment portals.

First spotted on social media, BQTLock is tied to ‘ZerodayX’, a figure linked to the pro-Palestinian hacktivist group Liwaa Mohammed and the Saudi Games data breach. Distributed in ZIP archives containing Update.exe, the malware encrypts files with the .bqtlock extension and drops a ransom note demanding payment in Monero (XMR).

Victims are threatened with 48 hours to respond, after which ransom demands double, and stolen data is sold. The note threatens, “after 7 days, the decryption keys will be deleted permanently, and the attackers will sell the collected user data on their website.”

BQTLock deploys a wide range of counter-forensics and persistence techniques:

• Anti-analysis: The ransomware uses IsDebuggerPresent() for debugger detection, string obfuscation, and virtual machine evasion.
• Privilege escalation: It leverages SeDebugPrivilege and even UAC bypasses via cmstp.exe, fodhelper.exe, and eventvwr.exe.
• Process hollowing: Injects into explorer.exe for stealth execution.
• Persistence: Creates scheduled tasks disguised as Microsoft\Windows\Maintenance\SystemHealthCheck.
• Exfiltration: System data, screenshots, and logs are sent via Discord webhooks—a tactic increasingly abused by threat actors.

The ransomware also manipulates wallpapers, file icons, and registry settings to intimidate victims, while terminating security processes to ensure smooth encryption.

K7 Security Labs highlighted that the malware is evolving rapidly:

• Enhanced obfuscation in the August 2025 variant.
• Credential theft from browsers including Chrome, Firefox, Edge, Opera, and Brave.
• Lateral movement through self-copying executables in %TEMP%.
• Forensic evasion, such as log clearing and self-deletion via batch scripts.

The report warns, “The updated variant retains its previous functionality with extra obfuscation while expanding its capabilities with new features like credential theft and enhanced anti-analysis techniques.”

Unusually, BQTLock is marketed almost like a software startup. The developers offer subscription packages—Starter, Professional, and Enterprise—complete with customization options for ransom notes, wallpapers, and even anti-debug features.

Yet, researchers doubt some of its bold claims. “ZeroDayX markets BQTLock as a FUD (Fully Undetectable) ransomware, claiming it is undetected by all AVs. However, the sample distributed was a corrupted ISO file, which appears non-functional.”

Related Posts:

• GLOBAL GROUP: New Ransomware Giant Emerges with AI Negotiators, Affiliate Incentives, and Industrial-Scale Attacks
• Cisco found multiple flaws in Blender
• ZLAB Announces Ransomware-as-a-Service platforms Report
• RansomHub: A New Ransomware-as-a-Service Threatens Multiple Operating Systems
• Akira Ransomware Adapts to Target Linux and VMware ESXi Servers