The cybersecurity landscape has seen the emergence of two advanced ransomware families, BQTLock and GREENBLOOD, which employ opposing tactics to extort victims and interfere with business operations This article explores strategy typical ransomware. . These new strains show a risky change in strategy, whereas typical ransomware attacks frequently follow a predictable pattern of instant encryption.

By emphasizing espionage and stealth, BQTLock effectively transforms the initial infection into a risk of a data breach before any files are locked. On the other hand, GREENBLOOD is designed to be extremely fast, using the Go programming language to encrypt systems and remove forensic evidence in a matter of minutes. The operational objectives of these threats' attack vectors vary greatly. In its early phases, BQTLock functions similarly to a clandestine surveillance tool, infiltrating deeply into trustworthy system operations to prevent security alarms from being set off.

Because of this, threat actors can continue to have long-term access and gather private data without being discovered right away. GREENBLOOD, on the other hand, takes a "smash and grab" strategy, employing quick ChaCha8 encryption to immediately paralyze networks and exert pressure via a TOR-based leak site. Defenders now face a difficult task as a result of this duality since they have to take into consideration both high-velocity destruction and slow-burning espionage.

Anyhow.During recent sandbox sessions, run analysts noticed these unique behaviors and pointed out that identifying the attack before encryption takes place is necessary for effective containment.

The entire behavioral chain could be seen in real time by analysts using the ANY.RUN interactive sandbox. View the complete BQTLock attack execution chain inside the sandbox (Source: Any.Run). Ransomware behavior and cleanup activity were visible inside the ANY.RUN interactive sandbox while the attack was still in progress, enabling early detection at the most crucial point.

According to their research, early behavioral indicators—like sudden process injections or quick file modifications—are frequently the only warning signs present before serious harm is done. Verify the entire GreenBlood attack chain that is visible within the sandbox (Source: Any.Run). Security teams can shift from reactive recovery to proactive containment by monitoring these chains in a controlled setting, thwarting the threat before it gains traction.

The Evasion and Persistence Mechanisms of BQTLock BQTLock sets itself apart with an extremely complex infection chain that circumvents common defenses. The malware does not immediately ransom the device after it is executed. Rather, it directly injects a Remcos payload into the Windows core process explorer.exe.

Traditional antivirus programs that rely on normal operating system processes are essentially rendered blind by this technique, which enables the malicious code to pass for legitimate system activity. The attackers can move around the network and increase their privileges without drawing attention to themselves by remaining undetected. BQTLock uses fodhelper.exe to carry out a User Account Control (UAC) bypass in order to guarantee that it maintains control over the compromised system. This particular technique gives the malware elevated administrative rights without requesting consent from the user.

After being elevated, it creates autorun persistence, which makes sure the malicious access endures system restarts. The attackers can move into their secondary phase, which involves stealing credentials and screen captures to increase leverage for extortion, thanks to this degree of established access. reduced incident risk and quicker detection.

Use ANY.RUN to find covert ransomware early. Include your SOC credentials that have been stolen by BQTLock (Source: Any.Run). Instead of concentrating solely on static file signatures, security experts are encouraged to concentrate on behavioral monitoring. For this strain, identifying the precise interaction between explorer.exe and fodhelper.exe can act as a high-fidelity alert.

IOCs (Source: Any.Run) In order to avoid recurrent infections, organizations should also make sure that their threat intelligence feeds are updated to identify the distinct infrastructure and command-line arguments connected to these new families.

Start your free malware research now with ANY.RUN!