# BlueSky Ransomware: Fast Encryption via Multithreading **unit42.paloaltonetworks.com/bluesky-ransomware/** Muhammad Umer Khan, Lee Wei, Yang Ji, Wenjun Hu August 10, 2022 By [Muhammad Umer Khan,](https://unit42.paloaltonetworks.com/author/muhammad-umer-khan/) [Lee Wei,](https://unit42.paloaltonetworks.com/author/lee-wei/) [Yang Ji and](https://unit42.paloaltonetworks.com/author/yang-ji/) [Wenjun Hu](https://unit42.paloaltonetworks.com/author/wenjun-hu/) August 10, 2022 at 12:00 PM [Category: Malware,](https://unit42.paloaltonetworks.com/category/malware-2/) [Ransomware](https://unit42.paloaltonetworks.com/category/ransomware/) Tags: [babuk,](https://unit42.paloaltonetworks.com/tag/babuk/) [BlueSky Ransomware,](https://unit42.paloaltonetworks.com/tag/bluesky-ransomware/) [Cloud-Delivered Security Services,](https://unit42.paloaltonetworks.com/tag/cloud-delivered-security-services/) [conti ransomware,](https://unit42.paloaltonetworks.com/tag/conti-ransomware/) Cortex XDR, [Investigation and Response,](https://unit42.paloaltonetworks.com/tag/investigation-and-response/) [next-generation firewall,](https://unit42.paloaltonetworks.com/tag/next-generation-firewall/) [Powershell,](https://unit42.paloaltonetworks.com/tag/powershell/) [RedLine infostealer,](https://unit42.paloaltonetworks.com/tag/redline-infostealer/) [threat intelligence,](https://unit42.paloaltonetworks.com/tag/threat-intelligence/) [URL filtering,](https://unit42.paloaltonetworks.com/tag/url-filtering/) [WildFire](https://unit42.paloaltonetworks.com/tag/wildfire/) This post is also available in: 日本語 [(Japanese)](https://unit42.paloaltonetworks.jp/bluesky-ransomware/) ## Executive Summary BlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses. Ransomware is a malicious program designed to encrypt a user’s data and demand a ransom for the decryption. BlueSky ransomware predominantly targets Windows hosts and utilizes multithreading to encrypt files on the host for faster encryption. In our analysis, we found code fingerprints from samples of BlueSky ransomware that can be connected to the [Conti ransomware group. In particular, the multithreaded architecture of BlueSky](https://unit42.paloaltonetworks.com/conti-ransomware-gang/) bears code similarities with Conti v3 and the network search module is an exact replica of it ----- [However, in another respect, BlueSky more closely resembles Babuk Ransomware. Both use](https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/) [ChaCha20, an algorithm for file encryption, along with Curve25519 for key generation.](https://en.wikipedia.org/wiki/ChaCha20-Poly1305) [According to research done by CloudSEK, PowerShell scripting is used to drop and download](https://cloudsek.com/threatintelligence/tracking-the-operators-of-the-newly-emerged-bluesky-ransomware/) BlueSky ransomware from a fake website to encrypt data. After successful encryption, BlueSky Ransomware renames the encrypted files with the file extension .bluesky and drops a ransom note file named # DECRYPT FILES BLUESKY #.txt and # DECRYPT FILES BLUESKY #.html. Palo Alto Networks customers receive protections from BlueSky ransomware and other types of [ransomware through Cortex XDR, the](https://www.paloaltonetworks.com/cortex/cortex-xdr) [Next-Generation Firewall and](https://www.paloaltonetworks.com/network-security/next-generation-firewall) cloud-delivered security [services including WildFire. The](https://www.paloaltonetworks.com/network-security/next-generation-firewall) [Advanced URL Filtering subscription provides real-time URL](https://www.paloaltonetworks.com/network-security/advanced-url-filtering) analysis and malware prevention for BlueSky ransomware. [If you think you may have been impacted by a cyber incident, the Unit 42 Incident Response team](https://www.paloaltonetworks.com/unit42/respond/incident-response) is available 24/7/365. You can also take preventative steps by requesting any of our cyber risk management services. Related Unit 42 Topics [Ransomware,](https://unit42.paloaltonetworks.com/category/ransomware/) [Conti Ransomware](https://unit42.paloaltonetworks.com/tag/conti-ransomware/) ## Table of Contents Initial Dropper Local Privilege Escalation Ransomware Payload Ransom Note Anti-Analysis Techniques Ransomware Artifacts File Encryption RedLine Infostealer Association Conclusion Indicators of Compromise MITRE TTPs Additional Resources ## Initial Dropper As shown in Figure 1, BlueSky ransomware is initially dropped by the PowerShell script start.ps1, which is hosted at hxxps://kmsauto[.]us/someone/start.ps1. The initial dropper is Base64-encoded and then DEFLATE-compressed, which is common behavior observed among PowerShell droppers. ----- Figure 1. Initial dropper. After extracting the embedded Base64-encoded stream from start.ps1, the decoded and uncompressed data stream led to yet another PowerShell script called stage.ps1. This script contained countless irrelevant comments in an attempt to conceal malicious activity. After removing these excessive comments, we discovered that start.ps1 downloaded a number of payloads from hxxps://kmsauto[.]us/someone/ based on the user’s privileges, as shown in Figure 2. ----- Figure 2. Initial dropper (decoded). ## Local Privilege Escalation Before downloading additional payloads to perform local privilege escalation, the PowerShell script, stage.ps1, determines if it is being executed as a privileged user. If so, it moves to the next step and downloads and executes the ransomware payload. If not, it uses the following techniques to escalate local privileges, depending on the version of the host operating system. If the version of the host operating system is earlier than Windows 10, such as Windows 7, 8 or XP, then the script will download and execute a modified version of the local privilege escalation tool called [JuicyPotato. If the host is running Windows 10 or later, then the script will download and execute](https://github.com/ohpe/juicy-potato) [ghost.exe and spooler.exe to exploit local privilege escalation vulnerabilities CVE-2020-0796 and](https://nvd.nist.gov/vuln/detail/cve-2020-0796) [CVE-2021-1732 respectively.](https://nvd.nist.gov/vuln/detail/CVE-2021-1732) ## Ransomware Payload After gaining additional privileges, stage.ps1 downloads the final BlueSky ransomware payload from hxxps://kmsauto[.]us/someone/l.exe and saves it locally to the filesystem as javaw.exe, attempting to masquerade as a legitimate Windows application. Eventually, the sample executes from the file path %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\javaw.exe. ----- ## Ransom Note BlueSky drops the ransom note as a text file named # DECRYPT FILES BLUESKY #.txt and an HTML file named # DECRYPT FILES BLUESKY #.html in a local directory where it has encrypted files successfully and renamed them with the file extension .bluesky. The content of # DECRYPT FILES BLUESKY #.html is shown in Figure 3. Figure 3. BlueSky ransom note. ## Anti-Analysis Techniques BlueSky implements multiple anti-analysis techniques, including string encryption, API obfuscation and anti-debugging mechanisms, allowing it to obfuscate Windows API function names and use indirect calls for resolving APIs. Additionally, BlueSky encodes API names using DJB hashing functions as shown in Figure 4, hindering malware analysis. ----- Figure 4. DJB hash matching. ## Ransomware Artifacts BlueSky generates a unique user ID by computing the MD5 hash over the combined Volume Information, Machine GUID, Product ID and Install Date values, as shown in Figure 5. Furthermore, it uses the same ID for generating the mutex Global\<32-byte ID>. ----- Figure 5. Unique ID calculation. It creates the registry key HKCU\Software\<32-byte ID> to store registry entries completed, RECOVERY BLOB and x25519_public to fingerprint its ransomware operations. Once the encryption process is completed, the registry entry completed is set with a value of 1. RECOVERY BLOB is a fingerprint identifier for the compromised organization, which is encrypted by the ChaCha20 encryption algorithm. The structure of the RECOVERY BLOB is shown in Table 1. **Offset** **Data** **Size** 0x00 Curve25519 public key 0x20 0x20 Cryptographic random value 0x0C 0x2C Curve25519 secret key 0x20 0x4C Unique user ID 0x10 0x5C Hardcoded RC4-decoded bytes 0x10 0x6C Unknown DWORD 0x04 ----- **Offset** **Data** **Size** 0x70 Unknown DWORD 0x04 0x74 Constant value 0x1000 0x04 _Table 1. Recovery blob structure._ The RECOVERY BLOB is then encrypted with ChaCha20 as shown in Figure 6 and stored in HKCU\Software\<32-byte ID>\RECOVERY. Figure 6. Recovery blob encryption. ## File Encryption Unlike other ransomware, which normally contains a list of file extensions to identify eligible files for encryption, BlueSky consists of a list of extensions that are negated in the file encryption process. The file extensions used in BlueSky are listed below: ldf, scr, icl, 386, cmd, ani, adv, theme, msi, rtp, diagcfg, msstyles, bin, hlp, shs, drv, wpx, bat, rom, msc, lnk, cab, spl, ps1, msu, ics, key, msp, com, sys, diagpkg, nls, diagcab, ico, lock, ocx, mpa, cur, cpl, mod, hta, exe, ini, icns, prf, dll, bluesky, nomedia, idx Directory names excluded from encryption: $recycle.bin, $windows.~bt, $windows.~ws, boot, windows, windows.old, system volume information, perflogs, programdata, program files, program files (x86), all users, appdata, tor browser Filenames excluded from encryption: # decrypt files bluesky #.txt, # decrypt files bluesky #.html, ntuser.dat, iconcache.db, ntuser.dat.log, bootsect.bak, autorun.inf, bootmgr, ntldr, thumbs.db As shown in Figure 7, BlueSky uses a multithreaded queue for encryption. It starts multiple threads – one responsible for file encryption, another for enumerating files on the local file system and mounted network shares to be added into the queue. This multithreaded architecture bears code similarities with Conti (Ransomware) v3. In particular, the network search module is an exact replica ----- of Conti v3. However, there are certain differences in the file encryption routine. For instance, Conti v3 uses RSA- and AES-based file encryption, whereas BlueSky utilizes Curve25519- and ChaCha20-based file encryption. Figure 7. Ransomware queues. [The file encryption of BlueSky is similar to Babuk Ransomware – both use Curve25519 to generate](https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/) a public key for the host and generate a shared key with the public key of the attacker. After generating an elliptic curve key pair, BlueSky computes a hash of the shared key, and uses it to generate a file encryption key for the ChaCha20 algorithm. Finally, it reads the file buffer, encrypts it with ChaCha20 and replaces the contents of the original file, as shown in Figure 8. Figure 8. File encryption routine. ## RedLine Infostealer Association ----- All samples we observed related to BlueSky ransomware were hosted at an active domain named kmsauto[.]us. When hunting for more samples related to BlueSky ransomware, we observed that several malware samples associated with the RedLine infostealer were hosted on the same domain. Although we did not find any code overlap between RedLine and BlueSky ransomware, similarities in the initial stages were observed, as both these families use a PowerShell downloader as the initial vector. ## Conclusion Ransomware authors are adopting modern advanced techniques such as encoding and encrypting malicious samples, or using multi-staged ransomware delivery and loading, to evade security defenses. BlueSky ransomware is capable of encrypting files on victim hosts at rapid speeds with multithreaded computation. In addition, the ransomware adopts obfuscation techniques, such as API hashing, to slow down the reverse engineering process for the analyst. It is very likely that ransomware attacks will continue to grow with advanced encryption techniques and delivery mechanisms. [Palo Alto Networks customers with Cortex XDR, the](https://www.paloaltonetworks.com/cortex/cortex-xdr) [Next-Generation Firewall and](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Advanced URL Filtering benefit from protections against the attacks discussed in this article. Additionally, the [malicious indicators (domains, URLs and hashes) can be prevented with our DNS Security and](https://www.paloaltonetworks.com/products/threat-detection-and-prevention/dns-security) [WildFire services.](https://www.paloaltonetworks.com/products/secure-the-network/wildfire) If you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident Response team or call: North America Toll-Free: 866.486.4842 (866.4.UNIT42) EMEA: +31.20.299.3130 APAC: +65.6983.8730 Japan: +81.50.1790.0200 If you have cyber insurance, you can request Unit 42 by name. You can also take preventative [steps by requesting any of our cyber risk management services, such as our](https://www.paloaltonetworks.com/unit42/assess) Ransomware Readiness Assessment. ## Indicators of Compromise **SHA256 Hashes** **Description** 2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef 3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb 840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df e75717be1633b5e3602827dc3b5788ff691dd325b0eddd2d0d9ddcee29de364f BlueSky Ransomware Payloads ----- 08f491d46a9d05f1aebc83d724ca32c8063a2613250d50ce5b7e8ba469680605 Obfuscated PowerShell Downloader 969a4a55bb5cabc96ff003467bd8468b3079f5c95c5823985416c019eb8abe2f PowerShell Downloader (decoded) c4e47cba1c5fedf9ba522bc2d2de54a482e0ac29c98358390af6dadc0a7d65ce CVE-20200796 SMBGhost Privilege Escalation Exploit cf64c08d97e6dfa5588c5fa016c25c4131ccc61b8deada7f9c8b2a41d8f5a32c JuicyPotato 6c94a1bc67af21cedb0bffac03019dbf870649a182e58cc5960969adf4fbdd48 CVE-20211732 Privilege Escalation Exploit _RedLine_ 58db85f0c86640b4c3a2584e9ef5696c526190faf87eaa19085737685bc9e7f5 9ca0e858ff6f163a128fb699d2b801b6b13a2eb1d6cd995302effa5f587cd8d8 aecfc82fa44790e0533f0bece0a1ab0860b163838646aa0c019187a37326d477 be3e665d389e8b85ceda1e2fc80a41a247de27d1d0b13ee0c2574c1e36ebc6d4 4d696c106f568b99308565172116933c0e26ce2e9ace003a110e8bde0216ddab aa7ff8badcffdff66df6d30bde51b6e3c960be0a3719b73d3875af8e1173bd94 0dfe7a93ff40834c072c7fdd9381771b1086b67f545fa83c766b2d67a911e47b 1a30e0d65a8a09abc3feb1c86a0619845fc6ab9bdba3ae8800ecec55a647910e 624f129189a05897c176e9feb519521c1b6ef528b0b52e1a7a3290e5a2313a6b fe2e5df2fae90fb90b56e4ea268e8ca68f46dc3365c22b840d865193a48be189 URLs hxxps://kmsauto[.]us/someone/l.exe hxxps://kmsauto[.]us/app1.bin hxxps://kmsauto[.]us/server.txt hxxps://kmsauto[.]us/encoding.txt hxxps://kmsauto[.]us/all.txt hxxps://kmsauto[.]us/someone/spooler.exe hxxps://kmsauto[.]us/sti/sti.bin hxxps://kmsauto[.]us/someone/potato.exe hxxps://kmsauto[.]us/someone/ghost.exe hxxps://kmsauto[.]us/someone/start.ps1 PowerShell Downloader MSIL Downloader Payloads ----- Ransom Note URLs http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion Registry Paths HKCU\Software\<32-byte hex string>\completed HKCU\Software\<32-byte hex string>\recoveryblob HKCU\Software\<32-byte hex string>\x25519_public ## MITRE TTPs **ID** **Technique** **Description** [T1486](https://attack.mitre.org/techniques/T1486) Data Encrypted for Impact [T1140](https://attack.mitre.org/techniques/T1140) Deobfuscate/Decode Files or Information [T1083](https://attack.mitre.org/techniques/T1083) File and Directory Discovery BlueSky can use CreateIoCompletionPort(), PostQueuedCompletionStatus() and GetQueuedCompletionPort() to rapidly encrypt files. BlueSky downloader base64-decodes and decompresses data to unpack the next stage payload. BlueSky ransomware payload encrypts ransom note with rc4based encryption, and it uses a custom encryption scheme to encrypt embedded strings. BlueSky can discover files on a local system. [T1106](https://attack.mitre.org/techniques/T1106) [Native API](https://attack.mitre.org/techniques/T1106) BlueSky has used API calls during execution. [T1135](https://attack.mitre.org/techniques/T1135) Network Share Discovery [T1027](https://attack.mitre.org/techniques/T1027) Obfuscated Files or Information ## Additional Resources BlueSky can enumerate remote open SMB network shares using NetShareEnum(). BlueSky can use API obfuscation to protect its functionality from analysis. [Tracking the Operators of the Newly Emerged BlueSky Ransomware – by](https://cloudsek.com/threatintelligence/tracking-the-operators-of-the-newly-emerged-bluesky-ransomware/) [CloudSEK](https://cloudsek.com/) [Conti Ransomware Source Code – on GitHub @gharty03](https://github.com/gharty03/Conti-Ransomware) [Babuk Ransomware v3 – by](https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3) [Chuong Dong](https://chuongdong.com/) [2022 Unit 42 Ransomware Threat Report](https://start.paloaltonetworks.com/unit-42-ransomware-threat-report.html) [2022 Unit 42 Incident Response Report](https://start.paloaltonetworks.com/2022-unit42-incident-response-report) **Get updates from** **Palo Alto** **Networks!** Sign up to receive the latest news, cyber threat intelligence and research from us ----- [By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.](https://www.paloaltonetworks.com/legal-notices/terms-of-use) -----