Dark Web Profile: BQTLock Ransomware

BQTLock is a new and advanced Ransomware-as-a-Service (RaaS) that has quickly gained attention for its disruptive operations and unique methods. Emerging from the Middle East and expanding globally, it shows fast technical growth and uses aggressive extortion tactics.

The group runs wave-based campaigns, demands payment mainly in Monero (XMR), and blends financial motives with propaganda. This mix of profit and ideology is unusual in ransomware, making BQTLock a case of special interest for us at SOCRadar as researchers and defenders.

This overview scratches the surface. For a deep dive check out our whitepaper “Inside BQTLock Ransomware” that explores the full scope of BQTLock’s operation in detail.

Who is BQTLock Ransomware?

This threat group developed ransomware, which gave its name to the operation. Its main representative is Karim Fayad (known online as ZeroDayX or ZeroDayX1), supported by Fuch0u, who frequently appears on the adversary’s public pages. The group appears to maintain close relationships with pro-Palestinian hacktivist groups such as Liwaa Mohammed, with mutual activity on social networks.

Publicly, BQTLock emphasizes political messaging and ideological motives; however, the primary internal driver is financial gain, contrasting with true hacktivist operations. This dual model, part hacktivist, part criminal, introduces a novel twist to traditional RaaS models, raising questions about the potential misuse of political narratives to instill fear while pursuing financial objectives.

The core team appears to include ZeroDayX and Fuch0u, who have historically been linked to accounts such as Anonymous Lebanon, and have had interactions with LulzSec-related accounts and Anonymous affiliated activities.

In addition, both BQTLock and ZeroDayX itself have had direct interactions with the pro-Palestinian hacktivist group Liwaa Mohammed, who proclaims himself as the leader of this organization, and has consistently posted BQTLock update messages through Telegram channels managed by the hacktivist group.

ZeroDayX was doxed by another hacktivist group, R00TK1T, which directly linked him to LulzSec. His real name was revealed as Karim Fayad, with personal information exposed that connected the current leader of BQTLock directly to these hacktivist groups.

The proximity and potential authorship of the same user or relationship with different hacktivist groups, as well as that of BQTLock, is evident across all the social networks mentioned, creating a solid core of organization and communication.

Analysis shows BQTLock’s leadership (Karim Fayad aka ZeroDayX and Fuch0u), ties to Liwaa Mohammed, possible past links to LulzSec and Anonymous Lebanon, and victim listings with ransom demands totaling over 700 XMR (~190k USD).

The BQTLock team has consistently communicated via Telegram channels, which have been used for propaganda, information about updates, and to liaise with RaaS affiliates. Victims were also left a note with an email address for more direct and professional communication.

What are BQTLock’s Targets?

Since BQTLock burst onto the scene, it has appeared in various orchestrated campaigns or attacks that have severely impacted victims.

Confirmed Victims

• USA Military Alumni Networks – full computer and database backups compromised, with an unpaid demand of 500 XMR.

• eFunda, Inc. – over 270 subdomains affected, with full backups encrypted and an unpaid demand of 600 XMR.

• European Business Server Cluster – servers in Europe were targeted, and 1500 XMR was requested.

The adversary boasts on their various social media platforms about attacks on the domains of the mentioned targets, which belong to sectors such as education or public-military matters, fitting into the usual modus operandi of similar threat actors that started before BQTlock, following the aforementioned argumentative line, where targets are generally from the US, with components that the adversary can use for their pro-Palestine narrative.

Target Industries

Beyond confirmed victims, BQTLock and possible affiliates using its RaaS model show patterns seen in other new ransomware groups with pro-Palestinian propaganda. Their behavior often follows similar paths, though shaped by their own traits.

Potential BQTLock victim types:

• Healthcare: Low defenses, high criticality, risks to human life, and strong propaganda value in key countries.
• Education: Weak cybersecurity, links to companies, and valuable intellectual property.
• SMEs/SMBs: Limited security budgets, often supply chains for larger firms, making breaches more impactful.
• Public sector: Local governments and agencies serve as test grounds due to weak defenses, with added hacktivist potential.
• Critical infrastructure: Complex but attractive targets in energy, utilities, and logistics, with political or public ties.
• Financial sector: Banks and fintech, combining real financial damage with symbolic attacks on “Western capitalism.”

Target Countries

Confirmed attacks hit organizations in the United States and Europe. BQTlock’s hacktivist stance shapes victim choice for both its core group and affiliates, making it key to track likely targets. These include the US and Israel as “resistance” symbols, European states with pro-Israel policies or many multinationals, and “Western-aligned”nations such as Australia, Canada, Saudi Arabia, India, and the UAE.

This strategy allows BQTlock to justify attacks as “acts of resistance” while sustaining a profitable business model, creating a dangerous precedent where economic motivations are concealed under seemingly legitimate political causes.

How Does BQTLock Ransomware Operate?

As stated before, BQTLock runs under a Ransomware-as-a-Service model, with the core team developing the malware and affiliates carrying out attacks in exchange for a share of the ransom.

Decryption Waves

A key feature is its wave-based decryption system, using hacktivist slang like 1337, LULZ, and 313 as pricing tiers. Victims pay between 13 and 40 XMR, depending on the wave, with demands sometimes reaching millions. In less than three months, BQTLock has claimed at least three companies, with earnings likely above 1,000 XMR (~$300,000).

Affiliate Program

The group also sells access to affiliates in starter, professional, and enterprise tiers (9–30 XMR). Buyers get customization options, support, and full platform access.

The system also implements psychological pressure tactics on victims, where ransom fees double after 48 hours and decryption keys are destroyed after 7 days without response.

Technical Details

Once the attacker has gained access, they can develop their activities by trying to obtain information from the compromised device, also discovering information about adjacent disks or networks in order to move tools or the ransomware itself to other devices and detonate it.

The adversary has recently worked with a ZIP file, a package that contains the main ransomware executable along with supporting files. This package often includes legitimate libraries, not custom-built ones, but they serve an important role: making the malware resilient and self-sufficient.

The libraries cover several core functions. For encryption, BQTLock relies on OpenSSL with AES-256 and RSA-4096. For communication, it supports common protocols like HTTP/HTTPS, QUIC, SSH, and FTP, often tied to platforms such as Discord or Telegram. It also uses multiple compression algorithms, including Brotli, Zstandard, and Zlib, which help speed up operations and manage stolen data. Other libraries handle tasks like multi-threading and asynchronous communication, ensuring smoother execution.

By bundling these files, BQTLock avoids depending on what is already installed on a victim’s system. This guarantees that the ransomware can execute consistently, even in diverse environments. Thus, it also signals that the malware is still under development, with the operators experimenting and showcasing its capabilities to attract new affiliates.

Decryptor

BQTLock includes an example decryptor designed to scan drives, search folders for encrypted files, and attempt recovery through its decrypt function. This tool is only a sample; the complete version is kept private and made available only to affiliates who buy into the Professional or Enterprise tiers.

The group has gone further by showcasing this decryptor publicly. On social media platforms such as Telegram and X, they share demonstrations of new versions running in different environments, passing file extensions and keys to execute the operation. These displays serve both as proof of capability and as promotion to potential affiliates.

Versions

The main ransomware binary has evolved quickly despite BQTLock’s short lifespan. Developers have consistently updated the malware, adding features and refining techniques across multiple versions.

After analyzing various samples, BQTlock presents itself as ransomware that contains a large number of interesting characteristics that we will review in order to understand how they work, with the objective of breaking down all relevant functionalities and having an orderly understanding of the work done by the developers, taking into account that the binary usually uses multi-threading in the latest versions, allowing it to perform operations simultaneously.

Builder

The Builder is central to BQTLock’s RaaS model, giving affiliates wide control over how the ransomware operates and looks on victim systems.

There are two versions: Windows and Linux. The Windows Builder is the more advanced, allowing customization of ransom notes, encrypted file extensions, size limits, and communication channels like Discord, Telegram, or dedicated C2 servers. It also includes advanced options such as process termination, persistence, anti-VM/debug, UAC bypass, backup deletion, process hollowing, and even double-extortion features like screenshot capture and browser data theft. Affiliates can also modify icons and wallpapers for visual impact.

The Linux Builder is less developed but still offers key functions, including note and extension customization, process termination (targeting tools like OSSEC or Splunk), persistence via systemd, anti-analysis features, and backup removal with rm -rf. Visual customization is also available. Its capabilities are expected to expand, reflecting the importance of Linux servers in enterprise environments.

Attack Chain

The malware’s behavior may vary depending on the version, but the execution chain tends to remain consistent in terms of the tasks it performs. Depending on the builder, additional capabilities may be included.

Initial Access

The exact entry points used by BQTLock remain unclear, but several common methods from other RaaS operations provide strong clues. Attackers may exploit exposed services such as RDP with weak or stolen credentials, often purchased through Initial Access Brokers. Phishing emails carrying malicious ZIP files have also been linked to BQTLock, with the payload disguised as Update.exe. Other likely routes are the exploitation of unpatched software and supply chain compromises.

Execution

BQTLock starts by writing a log file in the temporary folder (WindowsTempbqt_log.txt). This file records each step of execution while avoiding system folders that could raise suspicion.

It then collects operating system details such as version and build. To prevent duplicate execution, a mutex in GUID format is created, which changes with each build and is harder to detect.

The malware also checks for analysis environments. It looks for virtual machines and active debuggers using functions like IsDebuggerPresent and CheckRemoteDebuggerPresent. If found, it can change behavior to hinder researchers.

Finally, BQTLock queries external services like icanhazip[.]com to capture the victim’s public IP. This gives operators context about the infected device and its location.

Discovery

After setup, BQTLock gathers detailed information about the infected system. It collects the computer name and username, which help identify the victim.

In some versions, it queries BIOS and motherboard serial numbers through WMI. This data is used to generate unique identifiers and to profile the machine more precisely.

The malware also scans connected drives and shared folders. It records the size of each disk and how much free space remains. This helps operators decide what to encrypt and how to move across the network.

By combining hardware details with storage data, BQTLock builds a full picture of the victim environment. This information supports both encryption and extortion later in the attack.

Privilege Escalation

In this stage, BQTLock performs less common actions to gain higher control. It can create new administrator accounts before running the ransomware, giving operators or affiliates more freedom to launch tools or execute malware with elevated rights. It also checks who is running the sample to confirm sufficient permissions.

Newer versions add User Account Control (UAC) bypass methods. These allow the malware to run legitimate binaries (LOLbins) that auto-elevate without showing the usual approval prompt. The technique used depends on the Windows version:

• Windows 11: Copies the payload to a temporary path (bqt_btpass.inf) and runs it with cmstp.exe.
• Windows 10: Alters the registry key HKCUSoftwareClassesms-settingsShellOpencommand and launches fodhelper.exe to trigger the payload.
• Windows 7/8: Alters the registry key HKCUSoftwareClassesmscfileshellopencommand and uses eventvwr.exe to run the payload.

If the malware already has administrator rights, these steps may not be required.

After the bypass, BQTLock adjusts tokens to further raise privileges, using functions like OpenProcessToken, Token_Adjust_Privileges, and SeDebugPrivilege. This ensures control at the highest level.

OpenProcessToken+Token_Adjust_Privileges(0x28)+LookUpPrivilegeValueA+SeDebugPrivilege

Finally, the ransomware creates administrator accounts with names such as BQTLockAdmin or Guest_[ID]. The ID is generated during execution, making each sample unique. Passwords are basic but meet minimum security rules: at least eight characters, including uppercase, lowercase, numbers, and symbols.

Command & Control (C2)

After escalating privileges, BQTLock connects to its command-and-control servers. Samples have used IPs like 92[.]113[.]146[.]56 and 208[.]99[.]44[.]55.

During this phase, the malware registers the infected device. It sends details such as:

• Operating system version
• Hostname and username
• BIOS and motherboard serials
• Public IP address
• Administrator account and password created earlier
• API key (BQTLOCK_…)

This data is encrypted with RSA and sent to the server. In return, the server provides a BOT-ID, which links each victim machine to a campaign. That same ID is added to ransom notes so victims can communicate with the attackers in an organized way.

BQTLock also has fallback options. It can send the same information to a Telegram bot or upload stolen files via Discord webhooks. These methods give affiliates more flexibility, ensure infections can still be tracked if a panel is taken down, and allow operators to receive alerts on mobile devices.

Once contact is established, BQTLock begins stealing additional data. It can take screenshots of the desktop and search for browser profiles to extract saved credentials.

Stolen passwords are stored in a text file and then exfiltrated. One such exfiltration platform is Discord. Using these kinds of common platforms makes traffic look normal and gives the group an easy way to manage data without running its own infrastructure.

Impact

In this stage, the malware first prepares a ransom wallpaper. It decodes static code at runtime into a BMP file and saves it in the temporary directory before applying it with Windows API calls.

Simultaneously, it deletes recovery options by abusing vssadmin and wmic to wipe shadow copies and using bcdedit to disable Windows startup repair and recovery environment.

Following system modifications, the malware verifies running processes, a technique designed to eliminate processes that could either halt encryption or alert users to BQTLock’s presence, such as database application failures. The malware employs the standard approach of capturing running processes and comparing them against an internal blacklist, terminating any matches found.

The malware also has evasion capabilities. During the analysis, if a monitored process is detected, it can be modified to bypass the check and avoid termination.

After these steps, it performs process hollowing, injecting its code into explorer.exe to appear as a legitimate process and avoid detection.

Persistence is established through scheduled tasks, often named SystemHealthCheck or BQTLock_Startup_[ID], which run the malware at every startup.

In some cases, it attempts lateral movement by copying files via WMIC or creating remote services. Older versions may also delete the original binary after execution, relying on scheduled tasks to maintain presence.

Once file movement and injection are completed, depending on the version, the malware may execute original binary deletion. Since it commonly creates copies in temporary directories, this improves evasion. With persistence already established in the system, a scheduled path will be called at each iteration. This execution commonly occurs using `cmd.exe` or through batch files in older versions.

In the most critical phase where encryption begins, multi-threading becomes most apparent, as the sample systematically traverses each disk to locate target files for encryption.

During this operation, the sample accesses functions that prepare the ransom note, typically stored as Base64-encoded strings that are processed during execution. The filename is variable since the builder allows modification of both the filename and the extension used for renaming encrypted files, which is also prepared during this phase.

Encryption is performed using a hybrid AES-256 + RSA-4096 scheme while iterating through selected files with separate threads. Each file receives AES encryption, and each key is encrypted with RSA (using OpenSSL) public key cryptography that can only be decrypted with the private key held by affiliates or operators who launched the attack. During the process, depending on the sample, files may be renamed to .temp, then encrypted and changed to “.bqtlock”.

What Actions Should You Take Against BQTLock Ransomware?

Understanding how BQTLock works is only useful if paired with strong defenses. Organizations need measures to detect, respond to, and prevent attacks.

Detection

Focus monitoring on the ransomware’s known behaviors. Look for suspicious account creation, use of tools like vssadmin, bcdedit, or schtasks, and outbound traffic to Telegram or Discord. Deploy the Sigma and Yara rules provided in the SOCRadar platform to flag these early.

Response & Remediation

If an infection occurs, speed matters:

• Containment: Disconnect compromised systems from networks, disable suspicious accounts, and block remote access protocols like RDP and SMB.
• Disruption: Kill injected processes, cut C2 channels by blocking Telegram, Discord, and known BQTLock IPs, and revoke stolen credentials.
• Forensics: Collect memory dumps, disk images, and security logs before wiping or restoring machines.
• Clean-up: Remove scheduled tasks, registry changes, and malicious binaries. Reset all administrative passwords and audit account creation logs. Restore systems from clean, offline backups or consider forensic recovery if backups are unavailable.

Prevention

The best defense is making it hard for ransomware to take root:

• Harden endpoints: Limit access to Windows tools often abused by ransomware and block untrusted code from running in %Temp% or %AppData%.
• Control accounts: Disable the default Administrator account and enforce MFA on RDP and VPN access.
• Secure backups: Maintain segmented, immutable backups and test recovery regularly.
• Network protection: Block communication with Telegram, Discord, and suspicious C2 addresses. Monitor for unusual outbound traffic, especially from processes like explorer.exe.

Conclusion

BQTLock is a versatile RaaS with traits that set it apart from others, rooted in strong political propaganda uncommon in this space. Its goals will remain framed as ideology, though the true motive is criminal. The group will keep evolving its ransomware and seeking exposure to attract affiliates, aiming to climb in global rankings.

Though its infrastructure, malware, and site may change, its core ideals and direction stay constant. SOCRadar’s Ransomware Intelligence provides visibility into these shifts, helping defenders prepare and respond.

Stay tuned for our upcoming whitepaper, where we will dive deeper into BQTLock’s technical evolution, attack chain, and IoCs.

What are the MITRE ATT&CK TTPs of BQTLock Ransomware?

IoCs

• 425b2f283b71237276f84d941d9c2982c7f61a9aff12ece10e15065b73b7165e
• b211537ea626fae4ad2ef5ee2652633dc68aaf20da6eb953a44f266c4106b367
• 11affbeb18f4d6edcc9a4be5a82f8e23dfc31178887e97119faa5ddc75990494
• 00005ed250d85fc47e4c3883b8e6179a9888b8140acfeb94a40edc36bd523adb
• a6a397fec6c109a1402c6f1144d647843b2093f65fedd27204b40ebeea0640b6
• 618070d597dd73c43ba5d4bde2baa93a4f6038e3279de3bafe688caa5c409a58
• cd5e7b3b59cea14b804f6c01821d1ab94a0046422fe956f623b238c5db0cac99
• 4369aed581de0fe84c25a1ef2c3cf0bb6bf70df8b51fdf38b3b0b2a55f43261b
• 862f29aa00bb4ee33729bc6699990dbdf9ef890b8364f8288b173cb1ca5d6787
• 49f89b2fdef345a9d92fc821e4a226d8ac99e4ca0d2d11b5654f6557800b85f2
• 881b048234ebed82339244eb0c18580d785944dc82f83949f6adc1a9bc225c3b
• f77c203d0c80598954c06a0f6f0c46f8b885ba423d12a21f13ded0168aa11b10
• dacbba7f18d0835deb2eeb4e4d82c8f57234767291a90da1a5f3fd02d6bc13c2
• fbd67a3bcc964e370931f620a85bf368d7b5797ebc1d53fe3be11a89a90e7961
• 10938c2d01dc999d2fe1f8c635e3705e7e663077935a17e730c849d1191c76ed
• e2622ede1ebe5a37c439a32f0c63c13f893d1e5513b27367502898651cc5464b
• 590e47944ef0597bf1ff1d41656859b776e7031a4611cbf22d619002cbe49312
• 97524f4c582e0fbe46b74a7cfe4db9f078f368520cda25f27a50c5d2c50161f9
• 56eec59a5fe3f5a3c2c836701557bf1956770f465cd9e049995b86aef76a3e39
• b61ae633616d7dd29aaf0b170fdfbe8f282c0f8bdcb1c52aedee473ce4bf5789
• 780e34c72404fd464669626ae554b81393d2bae95293284b375bb5d989914486
• 5b992a3438e344dddcdd66151a40efb3452b2ff37cdc40b37db612afeb29ed29
• 008ec0226066572f4b27f100d08443120b9dd55cefbec2bbff994b5b552e546c
• 0ccd3f2d7e6637eaf5414e35b97d9d8bf6b8e4182859cace8ca8e02377a4e62a
• 9547933dd46501af7fc095a3513e48b81178e344b86e075b679259875f0fd5a7
• af90666822646e35eb52248f4a89eb715ce9f44459205bc24827a2aafe053548
• 324eabc27a25f524c94bb62573986b3335ab5181ddc6825d959d16aaaccdc7aa
• b7796a3b1812f329c43d5d37bbb6d8032b7bc06b15af29f555eb3e0c7b1b1c3d
• 9cd62dbace3324487124787127cff7c63a9f005d8d3aff9bac28c437e5caefc7

• 92.113.146[.]56
• 208.99.44[.]55

• bcoins[.]online

Visit the SOCRadar platform for further IoCs to come and rules to detect.