New Ransomware Strains BQTLock and GREENBLOOD Showcase Evolving Threat Tactics
Two advanced ransomware families, BQTLock and GREENBLOOD, have emerged with distinct strategies, complicating detection and response for cybersecurity teams.
BQTLock operates as a stealthy espionage tool, embedding itself within legitimate system processes such as explorer.exe to evade detection. Using a Remcos payload, it bypasses traditional antivirus by masquerading as trusted Windows activity. The malware then executes a UAC bypass via fodhelper.exe, gaining elevated privileges without user interaction. Once persistent, it harvests credentials and screenshots, delaying encryption to maximize data theft before extortion.
In contrast, GREENBLOOD prioritizes speed, leveraging Go-based ChaCha8 encryption to lock systems within minutes. It employs a "smash-and-grab" approach, deleting forensic evidence and pressuring victims via a TOR-based leak site. Unlike BQTLock’s slow infiltration, GREENBLOOD’s rapid execution leaves little time for intervention.
Analysts at ANY.RUN uncovered these behaviors in sandbox environments, where real-time execution chains revealed critical early indicators such as unexpected process injections and rapid file modifications. Detecting these signs before encryption is key to containment, as both strains exploit gaps in traditional signature-based defenses.
BQTLock’s persistence mechanisms and GREENBLOOD’s destructive speed highlight the need for behavioral monitoring and updated threat intelligence to counter these evolving threats. Organizations are advised to watch for anomalous interactions between explorer.exe and fodhelper.exe, along with the unique command-line patterns associated with these strains.
Source: https://cybersecuritynews.com/bqtlock-greenblood-ransomware-attacking-organizations/
ANY.RUN cybersecurity rating report: https://www.rankiteo.com/company/any-run
"id": "ANY1770832431",
"linkid": "any-run",
"type": "Ransomware",
"date": "2/2026",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'attack_vector': ['Process Injection', 'UAC Bypass', 'Remcos Payload'],
'data_breach': {'data_encryption': 'Yes (ChaCha8 for GREENBLOOD)',
'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Screenshots',
'Sensitive Files']},
'description': 'Two advanced ransomware families, BQTLock and GREENBLOOD, '
'have emerged with distinct strategies, complicating detection '
'and response for cybersecurity teams. BQTLock operates as a '
'stealthy espionage tool, embedding itself within legitimate '
'system processes to evade detection, while GREENBLOOD '
'prioritizes speed with rapid encryption and destructive '
'tactics.',
'impact': {'data_compromised': 'Credentials, Screenshots, Sensitive Files',
'identity_theft_risk': 'High'},
'lessons_learned': 'Detection of early indicators such as unexpected process '
'injections and rapid file modifications is critical. '
'Traditional signature-based defenses are insufficient '
'against these evolving threats.',
'motivation': ['Data Theft', 'Extortion'],
'post_incident_analysis': {'corrective_actions': ['Enhance behavioral '
'monitoring',
'Update threat intelligence',
'Monitor for anomalous '
'process interactions'],
'root_causes': ['Exploitation of legitimate system '
'processes',
'UAC bypass techniques',
'Lack of behavioral monitoring']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': ['BQTLock', 'GREENBLOOD']},
'recommendations': 'Implement behavioral monitoring, update threat '
'intelligence, and watch for anomalous interactions '
'between system processes (e.g., explorer.exe and '
'fodhelper.exe).',
'references': [{'source': 'ANY.RUN'}],
'response': {'enhanced_monitoring': 'Behavioral Monitoring'},
'title': 'Emergence of BQTLock and GREENBLOOD Ransomware Strains',
'type': 'Ransomware'}