Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.
Published on
November 4, 2023
Blog Image

Category:  Malware Intelligence

Motivation: Financial

Region:  Global


C: Fairly reliable

1: Confirmed by independent sources

Executive Summary

On 23 October 2023,  CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations. The ransomware targets Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions and the ESXi variant is under development. The encrypter has been packed using UPX.

Ransomware as a Service (RaaS) is a criminal business model where individuals or groups of cybercriminals create and distribute ransomware to other malicious actors, often for a fee or a percentage of the profits. RaaS enables less technically skilled individuals to become involved in cybercrime and launch ransomware attacks.

With various encryption schemes, the encrypter can also stop services and terminate processes that could interfere with the encryption of files.

The threat actor also offers a separate program called File Stealer that is designed for exfiltrating files to an online file-sharing platform called mega[.]nz. 

Analysis and Attribution

The key features and offerings of this ransomware are as follows as claimed by the threat actor:

  • Efficient Concurrency: Utilizing Go's capabilities, this ransomware promises faster execution, lower detection rates, and enhanced versatility.
  • Cross-Platform Compatibility: The ransomware has been tested on both Windows (from Windows 7 to Windows 11, including x32 and x64) and various Linux distributions (CentOS, Ubuntu, Linux Mint, Endeavour OS, Fedora) in 64-bit versions.
  • ESXi Variant: An ESXi variant is mentioned to be in the early stages of development, indicating potential expansion into the virtualization environment.
  • Unique Builds: The ransomware generates unique builds for each operation, reducing the risk of detection and obviating the need for a crypter.
  • Key Features: The ransomware offers fast encryption using a hybrid logic (Salsa20 + RSA 2048), various encryption modes (Full, Partial, and Smart), timely execution, obscured binaries, anti-analysis techniques, direct syscalls, multi-threading, and a decryption tool.
  • Customization: The threat actor offers customization options, including pre-execution shell-code injection, file exfiltration, and personalized information gathering about the target system, all at no extra cost.

Threat actor announcing a new ransomware service (RaaS) named QBit

Upon closer examination of the post, our source has unearthed a significant level of interest from multiple threat actors. Notably, some individuals expressed curiosity about the profit-sharing arrangement. In response, the original poster (OP) revealed that the division is set at 85/15, signifying that 85% of the profits are allocated to the affiliate, while the remaining 15% is retained by the Ransomware as a Service (RaaS) provider.

OP discussing the profit-sharing arrangement

Analysis of its Functionalities

The piece of malware (encrypter) was packed using a well-known open-source packer known as UPX. Before unpacking the size of the malware was 1.4 MB with an entropy level of 8. Upon unpacking the binary, the malware expanded to a size of 4.92 megabytes. When writing this, there have been no reported instances of this particular strain on VirusTotal.

During the execution, the binary presents users with multiple options such as:

  • -activation string: it’s set by the user to specify a particular date and time when the binary will get executed.
  • -log: this option enables the user to display log messages on the user interface.
  • -method string: Allows you to specify the encryption method. Options include "full," "partial," or "smart" (default is "full").
  • -nobk: If this option is used, the program won't change the desktop wallpaper during its operation.
  • -nodel: If provided, the program won't perform self-destruction after the encryption process is completed.
  • -nomutex: Deactivates Mutex. When set, the program can run multiple instances simultaneously.
  • -pass string: Requires a password to run the program.
  • -path string: Specifies the paths to be encrypted, separated by commas. If not provided, the program will encrypt all logical drives from A to Z.
  • -stopserv: Stops services and terminates processes that could interfere with the encryption of some files. This action typically requires ADMIN or SYSTEM privileges.
  • -thread int: Allows you to set the number of threads for processing (default is 4).

Functionalities come with the encrypter

Upon executing the ransomware using, “Encryptor.exe -log -pass=01 -method=smart”, we get the following popup:

The smart method uses intermittent technology to speed up the speed of encryption, meaning it only encrypts certain parts of the file/data.

The files, zip, and applications were encrypted with a .660 extension which is calculated based on the GUID (Globally Unique Identifier), a 128-bit unique identifier that is generated by the operating system (OS), or applications to uniquely identify resources, objects, components, or other items within the Windows environment. This extension remains constant for a particular user’s OS.

Since extensions are generally three letters long, it has taken the first three characters of the victim’s machine GUID as portrayed above. It is significant because the same 4-digit characters have been used to name the dropped image file in the temp directory as mentioned below.

Upon successful execution of the encrypter, we were able to spot the dropped file named 6609.jpg in the Temp directory.

The ransomware searches for the following file extensions to encrypt: com, exe, bat, cmd, vbs, vbe, js, jse, wsf, wsh, msc.

The following is the sample “readme-recover.txt” file that got dropped on the victim’s desktop. 

Change of desktop wallpaper after encryptor execution

Qbit group additionally offers the following:

  • Advanced phishing methodologies for attacking different organizations that are offered as an optional package with an extra fee.
  • They have a separate program called File Stealer, which they have advertised on underground forums in the past. It can be used to exfiltrate large amounts of files to mega.nz drive by default. 

They provide a custom solution as well so the files are directly exfiltrated to the threat actor’s RDP/VPS of choice instead of mega[.]nz.

Threat Actor Activity and Rating

Threat Actor Profiling

Active since

23 October 2023 (on RansomedVC)



Current Status



RaaS (developing ransomware and stealer, source: HUMINT)


C: Fairly reliable

1: Confirmed by independent Sources

Indicators of Compromise (IoCs)

Files Obtained


C:\Users\john doe\AppData\Local\Temp


C:\Users\john doe\Desktop


Packed Malware: 3d8722a8bb75f7bfe699ad691e0dd46fb6f8c105ab3c3866f48e587d44d92abf

Unpacked Malware: 204d3d3e61e61771185265afa508a1db574ace3f50afcb20a3ebc41d30519108

Article by
Shreya Talukdar
Related Posts
Blog Image
December 7, 2023

Exploring the Dark Web: Understanding Cybersecurity Threats and Safeguarding Strategies

Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.

Blog Image
November 27, 2023

How Cybercriminals Utilize Dark Web Forums for Collaboration and Trade

Dive into the depths of the dark web, understanding its nature, operations, and the role of Tor in offering online anonymity. Discover how dark web forums function and the significance of their security measures.

Blog Image
November 8, 2023

How AI is reshaping the Cyber Threat Landscape

Explore the double-edged sword of AI in cybersecurity. This insightful blog delves into how artificial intelligence is revolutionizing defenses while also empowering cybercriminals. Understand the dual-use dilemma of AI in the ever-evolving cyber threat landscape.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.