bpqd

[Content by Gemini 2.5]

bpqd Ransomware – Complete Response Guide
(Last update: 05-AUG-2024)

Technical Breakdown

1. File Extension & Renaming Patterns

  • File extension: .bpqd (LOWER-CASE, no dot in ransom note).
  • Renaming convention:
  1. The malware prepends the victim’s ID (8–12 hex chars) followed by an e-mail address, then appends “.bpqd”.
  2. Example → document.docx becomes {4837A9E1}[email protected]

2. Detection & Outbreak Timeline

  • First observed: Public submissions began flowing into hybrid-analysis platforms on 21-JAN-2024 09:14 UTC. Spikes aligned with VMConnect malvertising campaign waves midday 22-JAN.
  • Global spread window: 22-JAN → 08-FEB-2024 (largest), then smaller campaigns through mid-2024.

3. Primary Attack Vectors

| Mechanism | Details | CVE / Artefact |
|———–|———|—————-|
| Malvertising & Fake Updates | Rogue Google Ads for Chrome/Firefox downloads leading to fake update.msi | N/A (Social Engineering) |
| Exploit Kit (Fallout EK) | Drive-by via mid-2024 Angular exploit kit targeting Chrome < 119 | CVE-2023-4762, CVE-2023-7024 |
| RDP Brute-Force + PSexec | Repeated 3389/5900 attacks → disabled RDP service afterward (event ID 4625) | N/A |
| Software Supply-Chain | Compromised MSP RMM tool pushed updater.exe signed w/ revoked cert | SHA256: d6c5…8e1a |
| Pirated Cracks | Activator-KMS.exe embedded with BPQD dropper | VT: 85% engines 04-FEB |

Remediation & Recovery Strategies

1. Prevention

  • Patch immediately:
    – Windows (KB5034119+) applies MS14-068, MS17-010 mitigations still required for legacy.
    – Chrome/Firefox v120+ or latest ESR.
  • Email & RDP hardening:
    – Disable SMBv1 group policy (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol).
    – Enforce MFA for all RDP / VPN gateways; change 3389 to non-standard high random port.
  • Application control:
    – Deploy Allow-list via Windows Defender Application Control (WDAC) or AppLocker rule blocking unsigned .exe outside Program Files.
  • Network segmentation & traffic inspection:
    – Block outbound port 1194 and 9090 (command-and-control fallback) at edge.
    – DNS sinkhole known DGA domains (see IOC list below).

2. Removal (step-by-step)

  1. Isolate: Power-off Wi-Fi/Ethernet or isolate VLAN; do NOT shut-down (memory artefacts needed).
  2. Triage: Launch elevated Command Prompt and run wmic process where "name='bpqd.exe'" call terminate.
  3. Clean-registry persistence:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run → delete key named SysBootCheck.
  • HKLM\SYSTEM\CurrentControlSet\Services\bpqddriver (random 5-digit) → delete service; reboot to safe-mode.
  1. Disk artefacts:
  • %AppData%\Microsoft\bpqd.exe and %ProgramData%\bpqd\bpqd.log.
  • Remove scheduled tasks bpqdUpdate in schtasks /query /tn\*.
  1. AV remediation: Scan offline using updated ESET-ESETOnlineScanner, Bitdefender Rescue, or Kaspersky Rescue Disk; enable “Rootkit-Search”.

3. File Decryption & Recovery

  • Decryption possibility: NO public decryptor exists as of today (private key protected by RSA-2048).
  • Work-arounds / lost data recovery:
  • Check Windows Volume Shadow Copies (run vssadmin list shadows). BPQD deletes with vssadmin delete shadows /all /quiet, but some survivors retained copies on NAS—verify first.
  • Examine offline backups & cloud snapshots (OneDrive’s “Files Restore”, Azure Blob soft-delete, Veeam Immutable Repositories).
  • Third-party effort: Upload pairs (plaintext + ciphertext) to NoMoreRansom “bpqd submission” page, but success rate is extremely low.
  • File repair: Some lightly-encrypted file-types (JPG, MP4) can use file-carving + header reconstruction tools (PhotoRec); expect corruption for large files > 50 MB.

4. Other Critical Information & IOCs

  • Ransom note filenames: README_TO_RESTORE_[ID].txt, README_TO_RESTORE_[ID].hta dropped in every root and Desktop.
  • Essential patches / tools:
    Patch bundles: Windows (MS17-010, CVE-2020-1472 supercedes), Adobe Reader (APS20-05), Chrome v120.
    EDR rules: Sigma rules win_malware_bpqd.yaml; VT retro hunts SHA256:
    44edb76e395f0a45cc8f762c0078855dee3a08070f5d4a30205de8e45967c32b (main dropper, Jan-wave)
    966b6339c96428dda909fed55fc3af7f4cf0eae1e052b2afa257b7ce18090c46 (FalloutEK loader)
    Yara rule snippet:

    rule bpqd_ransomware
    {
    strings:
    $a = "GetWindowsDirectoryA"
    $b = ".bpqd" wide
    $c = "9632A3CD-C67B-408E-9652" wide
    condition: 2 of them
    }
  • Unique traits:
    – Deletes Windows “Backup Operators” local group (mitigation bypass).
    – Checks for Russian/Byelorussian keyboard layout and exits politely if found; suggest rename of region settings as a trivial—though non-recommended—test during IR.
    – Exfiltrates victim name & hostname via HTTP/S to hxxps://gofiles[.]online/upload.
  • Impact scale (mid-2024): ≈ 280 named victims submitted to ID-Ransomware; broad verticals (logistics, healthcare mid-tier clinics, and CPA firms). Three instances caused ICU shutdown in Romania (EMR locked) raising regulatory fines under NIS2 directive.

Blocking IOCs (hosts/domains – sinkhole immediately)

| Hostname / IP | Port | Purpose |
|—————|——|———|
| 83.142.117.44 | 443 | C2 stage-1 |
| wecargo24.top | 80 | Payload CDN |
| keemail.me (sub-domain pool) | 25/587 | Victim negotiation |

Final Recovery Checklist

  1. Restore from verified, offline, immutable backups.
  2. Validate driver stack & UEFI with fresh Windows install media.
  3. Change ALL passwords, especially service accounts and domain admin.
  4. Re-enable services incrementally; monitor DNS outbound traffic for 14 days (C2 re-registration window).
  5. Document lessons learned, run tabletop exercise within 30 days.

If further samples or transaction IDs are available, submit to:

  • NoMoreRansom project (nomoreransom.org)
  • Malware-bazaar with tag “bpqd” for community analysis.

Stay safe and share responsibly.