BlueSky ransomware is an emerging threat observed since mid-2022 that spreads through trojanized downloads and phishing emails, with rapid encryption and outbound lateral movement in Windows environments. It uses multi-stage PowerShell droppers, SMB-based propagation, anti-analysis techniques, and a TOR-based decryptor portal to monetize infected systems. #BlueSkyRansomware #RemcosRAT #JuicyPotato #SMBGhost #CVE2022-21882 #CVE2020-0796 #kmsauto_us
Keypoints
- BlueSky was first noted in late June 2022 and has been seen spreading via trojanized downloads from questionable websites and phishing emails.
- Delivery uses cracked software sites or keygens and can come via third-party frameworks such as Cobalt Strike and BRc4.
- After infection, BlueSky encrypts files rapidly and moves laterally over SMB, including in Active Directory environments.
- The campaign features a multi-stage infection with PowerShell droppers (start.ps1, stage.ps1) and privilege-elevation attempts using CVEs.
- BlueSky employs anti-analysis and stealth techniques (e.g., NtSetInformationThread, 0x11) and uses a multithreaded approach to speed encryption.
- The malware enumerates local drives, uses SMB/NetShareEnumW for lateral movement, and excludes numerous file types from encryption.
- Ransom notes direct victims to a Decryptor Portal with a recover ID; seven days to pay with escalating demands, and TOR-based communication for decryption.
MITRE Techniques
- [T1566.001] Phishing – Initial access via phishing emails and trojanized downloads. ‘Initial delivery vectors seen to date include trojanized downloads from websites hosting “cracks” and “keygens” as well as malicious attachments delivered via email.’
- [T1021.002] Remote Services: SMB/Windows Admin Shares – Lateral movement across networks via SMB/Windows Admin Shares. ‘The ransomware has the ability to move laterally via SMB and has been observed doing so in Active Directory environments.’
- [T1135] Network Share Discovery – Lateral movement aided by network shares via NetShareEnum (+WNetOpenEnumW) API. ‘BlueSky’s ability to spread laterally across accessible networks is enabled by way of SMB (Server Message Block) and the NetShareEnum (+WNetOpenEnumW) API.’
- [T1083] File and Directory Discovery – Drive enumeration used to locate targets. ‘Local drives are discovered and stored via GetLogicalDriveStringsW, with the ransomware traversing each drive serially.’
- [T1082] System Information Discovery – Information about the system gathered during attack. ‘The ransomware uses NtQueryInformationProcess for process discovery before calling TerminateProcess.’
- [T1049] System Network Connections Discovery – External connections observed to C2 domains. ‘Connections: ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid[.]onion, kmsauto[.]us.’
- [T1486] Data Encrypted for Impact – Encryption of target data. ‘Upon infection, BlueSky uses fast encryption techniques to rapidly process files on the target and connected hosts.’
Indicators of Compromise
- [Domain] – kmsauto.us, ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion
- [File] – l.exe, stage.ps1, start.ps1
- [URL] – http://kmsauto[.]us/alguien/l.exe, http[:]//kmsauto[.]us/alguien/potato.exe, https[:]//kmsauto[.]us/alguien/l.exe, https[:]//kmsauto[.]us/alguien/start.ps1
- [SHA256] – 3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb, 840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d (decryptor) and 7 more hashes
- [SHA1] – d8369cb0d8ccec95b2a49ba34aa7749b60998661, a306aa69d4ac0087c6dad1851c7f500710c829e3 (decryptor) and 7 more hashes