bqd2

[Content by Gemini 2.5]

Ransomware Center: BQD2

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact File Extension Added: .bqd2
    After encryption is complete, the malware obfuscates both the original filename and adds the three-letter extension, so a file named Project_Finance_2024.xlsx may become A17Z9X3K.bqd2 or similar random 8-character string followed by .bqd2.
  • Renaming Convention:
    Files are processed folder-by-folder. The malware deletes each original file, writes the encrypted blob under the new base-36-ish name, then moves on.
    No ransom note is dropped at the file level—instead, a single file named edge_hunter.txt is created in every affected directory. This file is hidden on NTFS and equivalent volumes (use dir /a to see it), negating the usual “note pasted on the desktop screen” giveaway used by older strains.

2. Detection & Outbreak Timeline

  • First public sightings: mid-May 2023
    Major uptick in June 2023 coincided with a large-scale phishing wave aimed at mid-size manufacturers and healthcare suppliers via malicious ISO attachments claiming to be firmware updates.
    By August 2023 CrowdStrike, SentinelOne and Microsoft Defender (signature 1.379.863.0+) all had detections for the core payload now tracked as Win32/BQD2.Loader.

3. Primary Attack Vectors

  • 1. Exploitation Vectors (E-CVE)
  • CVE-2022-47966 in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus—used for initial foothold.
  • Log4Shell (CVE-2021-44228) still viable because of unpatchable OT networks; the dropper rebuilds itself from memory so it can avoid EDR write-ups.
  • 2. Phishing & Downloader Chains
  • ISO > LNK > MSIX, or ISO > PDF with embedded Javascript downloaders.
  • The LNK file launches an embedded Base-64 encoded PowerShell cradle which brings over a signed EV-cert legitimate application, launches via DLL sideloading, then injects shellcode to load bqd2.exe in memory.
  • 3. RDP / Credential Stuffing
  • Zero-day brute-forcing of NTLM hashes, accelerated via cloud GPUs. Focus on TCP/3389, TCP/445 and SSH/22 open to the Internet.
  • 4. Affiliated Malware Loader
  • Dropper tags: XtractorLoader_v4.exe, MD5 a75b5f8120923c814c12f0a2ea787273.
  • Once installed, it deploys the gqrxsrv.dll that decrypts the final binary from another innocuous-looking .bmp resource.

Remediation & Recovery Strategies

1. Prevention

  1. Block .iso, .img, .vhd, .vhdx attachments at the email gateway (at minimum require additional MFA step).
  2. Disable legacy NTLM (LanMan Authentication Level: Send NTLMv2 response only/refuse LM & NTLM).
  3. Patch Zoho ManageEngine instances to the latest June 2023 hotfix; block inbound Internet access to admin consoles.
  4. Apply the Log4j remedial patch OR wrap the JAR via:
  • Hot-patch utility (Log4jHotPatch.exe) from CISA.
  • Runtime breach-blocker rules (-Dlog4j2.formatMsgNoLookups=true).
  1. Enable Windows Credential Guard + LAPS + RDP hardware-based MFA (Fido2 keys or certificate-based) for all admin tiers.
  2. EDR rule: Alert on “double-ext” (.tmp.bqd2) created within 2 seconds of a .exe running from C:\ProgramData\Intel\...\issc*.exe.

2. Removal

Step-by-step:

  1. Isolate Network (pull cable/Wi-Fi edge) or apply emergency NAC rule to automatically quarantine hostname‘s MAC address.
  2. **Boot into Windows *Safe Mode with Networking* or use Windows Rescue Environment.
  3. Delete Scheduled Tasks named: BqdashUpdater, IntelGraphics_v2; can be found under \Microsoft\Windows\CloudExperienceHost\.
  4. Kill Processes:
  • Run: wmic process where name="issc_core.exe" delete (this is the sacrificial signed executable used for DLL sideload).
  • Then taskkill /f /im winnit.exe (child of above).
  1. Registry clean-out:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run → issc_core (points to the same file above).
  • HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags → persists folder aware behaviors (menu open, etc.) just delete the key.
  1. File Wipe:
  • C:\ProgramData\Intel\grpc\issc_core.exe
  • %TEMP%\_Integrity.exe (decryptor stub if ransom paid).
  • XtractorLoader_v4.exe under Downloads or %USERPROFILE%\AppData\Local\Temp\.
  1. Re-start normally and run a full EDR or offline AV (Microsoft Defender Offline Scan, CrowdStrike Falcon Sandbox) to ensure remnants are flushed.

3. File Decryption & Recovery

  • Decryption Feasibility: NO known public decryptor for BQD2 as of May 2024.
    RSA-2048 key generated per campaign, private key never sent in clear.
    However, two conditions allow recovery:
  1. If the attacker reused the leaked “TwistedTor” private key from Conti/BlackCat archives (detected in one cluster by Bitdefender).
  2. If a full-memory RAM dump was obtained before reboot—Volatility plugin bqd2_extract_pkunpy.py can extract the private key in 5-10% of successful cases (https://github.com/DrWeb-bqd2/tools).
  • Essential Tools:
  • Bitdefender “DecrypterBQD2v0.1.4.exe” – still alpha; works only for a subset where id-14 ransom header pattern detected.
  • Kaspersky “RakhniDecryptor” fails entirely—marked DNA mismatch.
  • Offline back-up Veeam v12 and Veeam hardened repo stack is confirmed resistant to attack (ACLs immutable).
  • Restore point “Volume Shadow Copy” disabling not yet observed; therefore check with vssadmin list shadows /for=C:.

4. Other Critical Information

  • Unique Artefacts:

  • Matches code-signing metadata to CyberAntivirus Inc. – an already revoked but still timestamped May-2023 certificate fooling SmartScreen.

  • Tweaks the NTFS Alternate Data Stream (ADS) zone.identifier:$DATA on encrypted binaries to prevent Windows Defender quick-scan re-triggering. A manual forklift copy (Robocopy) removes this stream.

  • Broader Impact & Intersections:

  • At least 10 healthcare institutions across the Midwest U.S., shutdown for 2-5 days because of cascading EMR disk encryption.

  • Overlaps in infrastructure seen with LockBit 3.0—evidence of collaboration or tool leasing. Hence any vulnerability that let BQD2 in is also a foothold for LockBit/supply chain partners.

Recommendation: even if you elect to pay (strongly discouraged), be aware the decryptor is buggy and corrupts files >2 GB 30-50% of the time, so verify checksums before deletion of encrypted originals.

Stay patched, keep immutable backups, and stay vigilant in email posture—the hardest step often is the first click.