New Ransomware Strains BQTLock and GREENBLOOD Showcase Evolving Threat Tactics Two advanced ransomware families, BQTLock and GREENBLOOD, have emerged with distinct strategies, complicating detection and response for cybersecurity teams. BQTLock operates as a stealthy espionage tool, embedding itself within legitimate system processes such as explorer.exe to evade detection. Using a Remcos payload, it bypasses traditional antivirus by masquerading as trusted Windows activity. The malware then executes a UAC bypass via *fodhelper.exe*, gaining elevated privileges without user interaction. Once persistent, it harvests credentials and screenshots, delaying encryption to maximize data theft before extortion. In contrast, GREENBLOOD prioritizes speed, leveraging Go-based ChaCha8 encryption to lock systems within minutes. It employs a "smash-and-grab" approach, deleting forensic evidence and pressuring victims via a TOR-based leak site. Unlike BQTLock’s slow infiltration, GREENBLOOD’s rapid execution leaves little time for intervention. Analysts at ANY.RUN uncovered these behaviors in sandbox environments, where real-time execution chains revealed critical early indicators such as unexpected process injections and rapid file modifications. Detecting these signs before encryption is key to containment, as both strains exploit gaps in traditional signature-based defenses. BQTLock’s persistence mechanisms and GREENBLOOD’s destructive speed highlight the need for behavioral monitoring and updated threat intelligence to counter these evolving threats. Organizations are advised to watch for anomalous interactions between explorer.exe and fodhelper.exe, along with the unique command-line patterns associated with these strains.