{
	"id": "cb48763d-d13f-413a-a8ec-1f05eef882ec",
	"created_at": "2026-04-06T00:14:22.325221Z",
	"updated_at": "2026-04-10T13:12:25.338491Z",
	"deleted_at": null,
	"sha1_hash": "3b91a415bdef3c0319a57657b740dbab02cbf5fb",
	"title": "BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3157373,
	"plain_text": "BlueSky Ransomware | AD Lateral Movement, Evasion and Fast\r\nEncryption Put Threat on the Radar\r\nBy Jim Walter\r\nPublished: 2022-08-25 · Archived: 2026-04-05 13:02:27 UTC\r\nBlueSky ransomware is an emerging threat that researchers have been paying increasing attention to since its initial\r\ndiscovery in late June 2022. The ransomware has been observed being spread via trojanized downloads from questionable\r\nwebsites as well as in phishing emails.\r\nAlthough infections at this time remain low, the ransomware’s characteristics, described below, suggest it has been carefully\r\ndeveloped for a sustained campaign. In this post, we cover the latest intelligence on BlueSky ransomware to help security\r\nteams defend against this developing threat.\r\nEmergence of BlueSky Ransomware\r\nBlueSky was first noted on VirusTotal by researcher @Kangxiaopao in late June 2022. Subsequently, analysts from\r\nCloudSek and Unit42 have documented some of BlueSky’s behavior.\r\nAt present, BlueSky has not stood up a public data leak site and BTC wallets associated with known samples have not\r\nregistered any transactions, indicating that the threat actor’s distribution campaign is still in its infancy.\r\nInitial delivery vectors seen to date include trojanized downloads from websites hosting “cracks” and “keygens” as well as\r\nmalicious attachments delivered via email. Some observed mechanisms include delivery via third-party frameworks such as\r\nCobalt Strike and BRc4.\r\nUpon infection, BlueSky uses fast encryption techniques to rapidly process files on the target and connected hosts. The\r\nransomware has the ability to move laterally via SMB and has been observed doing so in Active Directory environments.\r\nEncrypted files will be marked with the .bluesky extension. Victims are instructed to contact the attackers via a TOR-based portal to obtain a decrypter.\r\nhttps://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/\r\nPage 1 of 7\n\nA multi-stage attack leading to a BlueSky infection was documented by Germán Fernández in early July.\r\nFernández tweeted details around an infection chain that, depending on the client, resembles JuicyPotato, exploiting an\r\nelevation of privilege flaw (CVE-2022-21882) in Microsoft Windows and a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block (SMB), before dropping the BlueSky ransomware.\r\nThe use of trojanized downloads was documented by CloudSEK. Trojanized downloads of BlueSky ransomware were\r\nbriefly made available via a website known to host questionable executables such as application “cracks” and “keygens”,\r\nlicense generators for software products such as Windows 10.\r\nMalicious Site Hosting BlueSky Payloads\r\nOne such site was observed being hosted at kmsauto[.]us . The following list of malicious URLs were recorded as hosting\r\nBlueSky ransomware payloads. Note the redundant use of both HTTP and HTTPS.\r\nhttp[:]\r\nhttp[:]\r\nhttp[:]\r\nhttp[:]\r\nhttp[:]\r\nhttp[:]\r\nhttp[:]\r\nhttp[:]\r\nhttps[:]\r\nhttps[:]\r\nhttps[:]\r\nhttps://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/\r\nPage 2 of 7\n\nhttps[:]\r\nhttps[:]\r\nhttps[:]\r\nhttps[:]\r\nBlueSky Ransomware Technical Details\r\nThe first stage of a BlueSky ransomware infection involves a compressed, base64-encoded PowerShell script, start.ps1 .\r\nOn execution, the script produces a further PowerShell script, stage.ps1 . If stage.ps1 is run without administrator\r\nprivileges, it first seeks to elevate privileges through CVE-2021-1732 or CVE-2022-21882.\r\nEncrypted content of start.ps1\r\nOnce sufficient privileges are acquired, the script downloads the ransomware payload, l.exe , and writes it to disk at the\r\nfollowing file path:\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\javaw.exe.\r\nThe payload contains anti-analysis logic including leveraging NtSetInformationThread to hide threads launched by the\r\nmalware executable.\r\nSetting ThreadInformationClass to the value of 0x11 prevents certain events from being viewed or hooked by debuggers,\r\nor from being detected by certain EDR hooking mechanisms. As noted by Unit32, BlueSky uses a multithreaded queue for\r\nfaster encryption.\r\nThe ransomware makes use of the NtQueryInformationProcess API for process discovery before calling\r\nTerminateProcess .\r\nLocal drives are discovered and stored via GetLogicalDriveStringsW , with the ransomware traversing each drive serially.\r\nhttps://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/\r\nPage 3 of 7\n\nBlueSky’s ability to spread laterally across accessible networks is enabled by way of SMB (Server Message Block) and the\r\nNetShareEnum (+WNetOpenEnumW) API.\r\nPayload output, NetShareEnum\r\nIn some cases, 1000ms Sleep intervals are inserted between each remote connection attempt.\r\nSleep MS count in hex\r\nPrevious researchers have noted that file targeting is inverted compared to typical ransomware behavior: rather than\r\ntargeting specific file extensions, BlueSky instead lists file types to be excluded from encryption. The following extensions\r\nare reportedly excluded:\r\nldf, scr, icl, 386, cmd, ani, adv, theme, msi, rtp, diagcfg, msstyles, bin, hlp, shs, drv, wpx, bat, rom, msc\r\nPost-Infection and Ransom Demands\r\nThe ransom note “# DECRYPT FILES BLUESKY #.html ” is written into each folder containing encrypted items. With the\r\nexception of the victim’s ‘recover ID’, all ransom notes regardless of the target are identical. In addition, the malware drops\r\nnotes in both text and HTML format.\r\nBlueSky ransom note, .txt version\r\nhttps://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/\r\nPage 4 of 7\n\nBlueSky ransom note, html version\r\nAfter infection, victims are instructed to visit the BlueSky ‘DECRYPTOR’ portal and enter the unique recovery ID\r\nembedded in the ransom note. The portal displays the time limit and the increasing dollar amounts required to regain access\r\nto encrypted data.\r\nhttps://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/\r\nPage 5 of 7\n\nBlueSky Decryptor Portal\r\nIn the pool of samples we analyzed, victims were given seven days to pay the ransom demand, after which the ransom\r\namount doubled.\r\nDetecting and Protecting Against BlueSky Ransomware\r\nAs demonstrated in the following video, SentinelOne Singularity™ fully protects against BlueSky ransomware, preventing\r\nlateral movement across Active Directory and connected devices.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nConclusion\r\nBlueSky ransomware has the ability to rapidly encrypt the local host and move laterally by exploiting known vulnerabilities.\r\nBlueSky campaigns appear to be in their infancy, but the architecture of both droppers and payloads indicates that the actors\r\nhave invested significant effort and will be looking to reap the returns. Now is the time for security teams to get ahead by\r\nbolstering their protection and detection posture.\r\nIndicators of Compromise\r\nSHA256\r\n3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb\r\n840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d\r\ne75717be1633b5e3602827dc3b5788ff691dd325b0eddd2d0d9ddcee29de364f\r\n2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef\r\nd6386b2747335f7b0d13b1f69d995944ad8e9b71e09b036dbc0b907e583d857a\r\nc75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df\r\nc3d5248230230e33565c04019801892174a6e5d8f688d61002e369b0b9e441ff\r\nb5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec\r\ndcdba086e6d0cd3067d3998bb624be16c805b2cde76a451c0ceaf30d66ba7349 (decryptor)\r\nSHA1\r\nd8369cb0d8ccec95b2a49ba34aa7749b60998661\r\nhttps://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/\r\nPage 6 of 7\n\na306aa69d4ac0087c6dad1851c7f500710c829e3\r\n720714032a7a8ee72f034ddbb0578b910e6c9885\r\n1bab1913533d5748e9cda388f55c446be6b770ff\r\n71e3cc4a53a9cf4cb5e5c3998afe891cd78c09aa\r\n429237548351288fac00e0909616b1518d5487b9\r\n9fc631bdd0d05d750e343c802e132b56e5121243\r\n59e756e0da6a82a0f9046a3538d507c75eb95252\r\na9233cb65ab53a08a4cce24a134c5b9296672a32 (decryptor)\r\nConnections\r\nccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid[.]onion\r\nkmsauto[.]us\r\nMITRE ATT\u0026CK\r\nT1552.001 – Unsecured Credentials: Credentials In Files\r\nT1049 – System Network Connections Discovery\r\nT1422 – System Network Configuration Discovery\r\nT1083 – File and Directory Discovery\r\nT1012 – Query Registry\r\nT1082 – System Information Discovery\r\nT1119 – Automated Collection\r\nT1005 – Data from Local System\r\nT1486 – Data Encrypted for Impact\r\nT1135 – Network Share Discovery\r\nT1021.002 – Remote Services: SMB/Windows Admin Shares\r\nT0809 – Data Destruction\r\nSource: https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/\r\nhttps://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/"
	],
	"report_names": [
		"bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar"
	],
	"threat_actors": [],
	"ts_created_at": 1775434462,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b91a415bdef3c0319a57657b740dbab02cbf5fb.pdf",
		"text": "https://archive.orkl.eu/3b91a415bdef3c0319a57657b740dbab02cbf5fb.txt",
		"img": "https://archive.orkl.eu/3b91a415bdef3c0319a57657b740dbab02cbf5fb.jpg"
	}
}