Ransomware-as-a-Service (RaaS), promoted on dark web forums and popular messaging platforms like Telegram, is an expanding cybercrime model where developers lease ransomware and infrastructure to affiliates through subscriptions or profit-sharing. A newly discovered ransomware strain, named BQTLOCK, has been active since mid-summer 2025, distributed via a full RaaS model, largely leveraging multiple anti-analysis techniques in its campaigns to hinder detection and forensic investigation.
Detect BQTLOCK Ransomware Attacks
Ransomware continues to evolve in sophistication and impact, with both new variants and retooled older strains emerging. One such example is the relatively new Crypto24 Ransomware Group, which has been striking major organizations in the U.S., Europe, and Asia.
The 2025 Verizon DBIR shows ransomware in 44% of breaches, up from 32% last year. A key driver is RaaS, which removes the need for coding skills, letting even novice attackers subscribe to ready-made ransomware much like a streaming service. With the emergence of a new BQTLOCK ransomware variant operating as RaaS and using advanced evasion techniques, organizations should enhance proactive defenses to preempt ransomware attacks.
Register for SOC Prime Platform to future-proof the organization’s cybersecurity posture, leveraging the top expertise and AI for enterprise-ready protection. The Platform provides security teams with AI-native threat intel and curated detection algorithms, backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Click the Explore Detections button to reach a collection of context-enriched detection rules addressing the BQTLOCK-related ransomware activity.
All detections can be applied across diverse SIEM, EDR, and Data Lake solutions and are aligned with MITRE ATT&CK®. Each rule is enriched with extensive metadata, such as CTI links, attack timelines, triage recommendations, and more relevant context.
Security engineers can also take advantage of the comprehensive stack of detection rules addressing ransomware attacks globally by leveraging the corresponding “Ransomware” tag.
Additionally, teams can rely on Uncoder AI, introduced with enhanced capabilities in the latest SOC Prime Platform release, which now offers the AI Chat Bot and MCP tools to help security teams manage any threat detection task end-to-end, co-piloted by AI. For instance, using Uncoder AI, security professionals can instantly visualize Attack Flow or search for IOCs based on the K7 Security Labs research covering BQTLOCK RaaS operations.
BQTLOCK Ransomware Analysis
The newly emerged BQTLock ransomware operating under a RaaS model has been tied to ZerodayX, the alleged leader of the pro-Palestinian hacktivist group Liwaa Mohammed, and is reportedly linked to the notorious Saudi games data breach. Since mid-July 2025, BQTLock has evolved into a more advanced variant that incorporates a set of anti-analysis techniques.
According to the latest in-depth analysis from K7 Security Labs, BQTLOCK uses a tiered RaaS subscription model with Starter, Professional, and Enterprise plans, offering customizable features such as ransom note editing, wallpaper changes, file extension settings, and adjustable anti-analysis capabilities like string obfuscation, debugger checks, and virtual machine evasion to bypass detection.
Distributed in a ZIP archive containing an executable named Update.exe, the ransomware encrypts local files of all types, appends the custom extension .bqtlock, and drops a ransom note. It also exfiltrates sensitive data via Discord webhooks for C2. Once executed, it conducts system reconnaissance by gathering hostnames, IPs, hardware details, and disk space before establishing persistence and triggering encryption.
All transactions are conducted in Monero (XMR). The ransom note follows a double extortion model: victims are given 48 hours to reach out via Telegram or X, with ransom demands reaching 40 Monero (XMR) tokens, equivalent to $10,000. Failure to comply doubles the ransom, and after 7 days, decryption keys are destroyed, and stolen data is published or sold on the attackers’ site.
ZerodayX promotes BQTLock as FUD (Fully Undetectable) ransomware, allegedly invisible to antivirus solutions. However, the distributed sample was a corrupted ISO file, submitted only once to VirusTotal—originating from Lebanon—suggesting it was likely uploaded by the developer or a close associate. These signs cast doubt on the claimed FUD capabilities and point to possible exaggeration or deceptive promotion.
BQTLOCK escalates privileges by enabling SeDebugPrivilege and using process hollowing on explorer.exe to hide malicious code within legitimate processes. For persistence, it creates a scheduled task and adds a backdoor admin account. The latest variant also employs UAC bypasses via CMSTP.exe, fodhelper.exe, and eventvwr.exe registry tricks, allowing silent elevation without user prompts.
BQTLOCK developers announced version 4 as their final update after four rapid releases, sparking doubts about a real halt or rebranding. Following their Telegram ban, they offered free access for three days and introduced BAQIYAT.osint, a paid tool for stolen data searches. A newer variant, spotted on August 5, 2025, shows active ransomware development. It adds advanced credential-stealing features aimed at major browsers like Chrome, Firefox, Edge, Opera, and Brave, posing an increased threat to potentially affected organizations.
With the growing risks of ransomware attacks and the emergence of novel RaaS operators who rely on advanced adversary techniques, ultra-responsiveness from defenders is of top priority. SOC Prime curates a complete product suite backed by AI, automation, and real-time threat intelligence to help global organizations strengthen their defensive capabilities.
The post BQTLOCK Ransomware Detection: New RaaS Operators Employ Advanced Detection Evasion Techniques appeared first on SOC Prime.
