{
	"id": "bc6cc950-1287-48ef-bcf8-baa22857ba41",
	"created_at": "2026-04-06T00:11:52.540439Z",
	"updated_at": "2026-04-10T03:30:52.086267Z",
	"deleted_at": null,
	"sha1_hash": "63ad02d45888a7a5208a7f01fd129a3330dfb63a",
	"title": "BlueSky Ransomware: Fast Encryption via Multithreading",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1220997,
	"plain_text": "BlueSky Ransomware: Fast Encryption via Multithreading\r\nBy Muhammad Umer Khan, Lee Wei, Yang Ji, Wenjun Hu\r\nPublished: 2022-08-10 · Archived: 2026-04-05 13:15:05 UTC\r\nExecutive Summary\r\nBlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses.\r\nRansomware is a malicious program designed to encrypt a user’s data and demand a ransom for the decryption.\r\nBlueSky ransomware predominantly targets Windows hosts and utilizes multithreading to encrypt files on the host\r\nfor faster encryption.\r\nIn our analysis, we found code fingerprints from samples of BlueSky ransomware that can be connected to the\r\nConti ransomware group. In particular, the multithreaded architecture of BlueSky bears code similarities with\r\nConti v3, and the network search module is an exact replica of it.\r\nHowever, in another respect, BlueSky more closely resembles Babuk Ransomware. Both use ChaCha20, an\r\nalgorithm for file encryption, along with Curve25519 for key generation.\r\nAccording to research done by CloudSEK, PowerShell scripting is used to drop and download BlueSky\r\nransomware from a fake website to encrypt data. After successful encryption, BlueSky Ransomware renames the\r\nencrypted files with the file extension .bluesky and drops a ransom note file named # DECRYPT FILES\r\nBLUESKY #.txt and # DECRYPT FILES BLUESKY #.html.\r\nPalo Alto Networks customers receive protections from BlueSky ransomware and other types of ransomware\r\nthrough Cortex XDR, the Next-Generation Firewall and cloud-delivered security services including WildFire. The\r\nAdvanced URL Filtering subscription provides real-time URL analysis and malware prevention for BlueSky\r\nransomware.\r\nIf you think you may have been impacted by a cyber incident, the Unit 42 Incident Response team is available\r\n24/7/365. You can also take preventative steps by requesting any of our cyber risk management services.\r\nInitial Dropper\r\nAs shown in Figure 1, BlueSky ransomware is initially dropped by the PowerShell script start.ps1, which is hosted\r\nat hxxps://kmsauto[.]us/someone/start.ps1. The initial dropper is Base64-encoded and then DEFLATE-compressed, which is common behavior observed among PowerShell droppers.\r\nhttps://unit42.paloaltonetworks.com/bluesky-ransomware/\r\nPage 1 of 10\n\nFigure 1. Initial dropper.\r\nAfter extracting the embedded Base64-encoded stream from start.ps1, the decoded and uncompressed data stream\r\nled to yet another PowerShell script called stage.ps1. This script contained countless irrelevant comments in an\r\nattempt to conceal malicious activity. After removing these excessive comments, we discovered that start.ps1\r\ndownloaded a number of payloads from hxxps://kmsauto[.]us/someone/ based on the user’s privileges, as shown\r\nin Figure 2.\r\nFigure 2. Initial dropper (decoded).\r\nLocal Privilege Escalation\r\nhttps://unit42.paloaltonetworks.com/bluesky-ransomware/\r\nPage 2 of 10\n\nBefore downloading additional payloads to perform local privilege escalation, the PowerShell script, stage.ps1,\r\ndetermines if it is being executed as a privileged user. If so, it moves to the next step and downloads and executes\r\nthe ransomware payload. If not, it uses the following techniques to escalate local privileges, depending on the\r\nversion of the host operating system. If the version of the host operating system is earlier than Windows 10, such\r\nas Windows 7, 8 or XP, then the script will download and execute a modified version of the local privilege\r\nescalation tool called JuicyPotato. If the host is running Windows 10 or later, then the script will download and\r\nexecute ghost.exe and spooler.exe to exploit local privilege escalation vulnerabilities CVE-2020-0796 and CVE-2021-1732 respectively.\r\nRansomware Payload\r\nAfter gaining additional privileges, stage.ps1 downloads the final BlueSky ransomware payload from\r\nhxxps://kmsauto[.]us/someone/l.exe and saves it locally to the filesystem as javaw.exe, attempting to masquerade\r\nas a legitimate Windows application. Eventually, the sample executes from the file path\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\javaw.exe.\r\nRansom Note\r\nBlueSky drops the ransom note as a text file named # DECRYPT FILES BLUESKY #.txt and an HTML file\r\nnamed # DECRYPT FILES BLUESKY #.html in a local directory where it has encrypted files successfully and\r\nrenamed them with the file extension .bluesky. The content of # DECRYPT FILES BLUESKY #.html is shown in\r\nFigure 3.\r\nFigure 3. BlueSky ransom note.\r\nAnti-Analysis Techniques\r\nBlueSky implements multiple anti-analysis techniques, including string encryption, API obfuscation and anti-debugging mechanisms, allowing it to obfuscate Windows API function names and use indirect calls for resolving\r\nAPIs. Additionally, BlueSky encodes API names using DJB hashing functions as shown in Figure 4, hindering\r\nmalware analysis.\r\nhttps://unit42.paloaltonetworks.com/bluesky-ransomware/\r\nPage 3 of 10\n\nFigure 4. DJB hash matching.\r\nRansomware Artifacts\r\nBlueSky generates a unique user ID by computing the MD5 hash over the combined Volume Information,\r\nMachine GUID, Product ID and Install Date values, as shown in Figure 5. Furthermore, it uses the same ID for\r\ngenerating the mutex Global\\\u003c32-byte ID\u003e.\r\nhttps://unit42.paloaltonetworks.com/bluesky-ransomware/\r\nPage 4 of 10\n\nFigure 5. Unique ID calculation.\r\nIt creates the registry key HKCU\\Software\\\u003c32-byte ID\u003e to store registry entries completed, RECOVERY BLOB\r\nand x25519_public to fingerprint its ransomware operations. Once the encryption process is completed, the\r\nregistry entry completed is set with a value of 1. RECOVERY BLOB is a fingerprint identifier for the\r\ncompromised organization, which is encrypted by the ChaCha20 encryption algorithm. The structure of the\r\nRECOVERY BLOB is shown in Table 1.\r\nOffset Data Size\r\n0x00 Curve25519 public key 0x20\r\n0x20 Cryptographic random value 0x0C\r\n0x2C Curve25519 secret key 0x20\r\n0x4C Unique user ID 0x10\r\n0x5C Hardcoded RC4-decoded bytes 0x10\r\n0x6C Unknown DWORD 0x04\r\n0x70 Unknown DWORD 0x04\r\nhttps://unit42.paloaltonetworks.com/bluesky-ransomware/\r\nPage 5 of 10\n\nOffset Data Size\r\n0x74 Constant value 0x1000 0x04\r\nTable 1. Recovery blob structure.\r\nThe RECOVERY BLOB is then encrypted with ChaCha20 as shown in Figure 6 and stored in HKCU\\Software\\\r\n\u003c32-byte ID\u003e\\RECOVERY.\r\nFigure 6. Recovery blob encryption.\r\nFile Encryption\r\nUnlike other ransomware, which normally contains a list of file extensions to identify eligible files for encryption,\r\nBlueSky consists of a list of extensions that are negated in the file encryption process. The file extensions used in\r\nBlueSky are listed below:\r\nldf, scr, icl, 386, cmd, ani, adv, theme, msi, rtp, diagcfg, msstyles, bin, hlp, shs, drv, wpx, bat, rom, msc, lnk, cab,\r\nspl, ps1, msu, ics, key, msp, com, sys, diagpkg, nls, diagcab, ico, lock, ocx, mpa, cur, cpl, mod, hta, exe, ini, icns,\r\nprf, dll, bluesky, nomedia, idx\r\nDirectory names excluded from encryption:\r\n$recycle.bin, $windows.~bt, $windows.~ws, boot, windows, windows.old, system volume information, perflogs,\r\nprogramdata, program files, program files (x86), all users, appdata, tor browser\r\nFilenames excluded from encryption:\r\n# decrypt files bluesky #.txt, # decrypt files bluesky #.html, ntuser.dat, iconcache.db, ntuser.dat.log, bootsect.bak,\r\nautorun.inf, bootmgr, ntldr, thumbs.db\r\nAs shown in Figure 7, BlueSky uses a multithreaded queue for encryption. It starts multiple threads – one\r\nresponsible for file encryption, another for enumerating files on the local file system and mounted network shares\r\nto be added into the queue. This multithreaded architecture bears code similarities with Conti (Ransomware) v3.\r\nIn particular, the network search module is an exact replica of Conti v3. However, there are certain differences in\r\nthe file encryption routine. For instance, Conti v3 uses RSA- and AES-based file encryption, whereas BlueSky\r\nutilizes Curve25519- and ChaCha20-based file encryption.\r\nhttps://unit42.paloaltonetworks.com/bluesky-ransomware/\r\nPage 6 of 10\n\nFigure 7. Ransomware queues.\r\nThe file encryption of BlueSky is similar to Babuk Ransomware – both use Curve25519 to generate a public key\r\nfor the host and generate a shared key with the public key of the attacker. After generating an elliptic curve key\r\npair, BlueSky computes a hash of the shared key, and uses it to generate a file encryption key for the ChaCha20\r\nalgorithm. Finally, it reads the file buffer, encrypts it with ChaCha20 and replaces the contents of the original file,\r\nas shown in Figure 8.\r\nFigure 8. File encryption routine.\r\nRedLine Infostealer Association\r\nAll samples we observed related to BlueSky ransomware were hosted at an active domain named kmsauto[.]us.\r\nWhen hunting for more samples related to BlueSky ransomware, we observed that several malware samples\r\nassociated with the RedLine infostealer were hosted on the same domain. Although we did not find any code\r\noverlap between RedLine and BlueSky ransomware, similarities in the initial stages were observed, as both these\r\nfamilies use a PowerShell downloader as the initial vector.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/bluesky-ransomware/\r\nPage 7 of 10\n\nRansomware authors are adopting modern advanced techniques such as encoding and encrypting malicious\r\nsamples, or using multi-staged ransomware delivery and loading, to evade security defenses. BlueSky ransomware\r\nis capable of encrypting files on victim hosts at rapid speeds with multithreaded computation. In addition, the\r\nransomware adopts obfuscation techniques, such as API hashing, to slow down the reverse engineering process for\r\nthe analyst.\r\nIt is very likely that ransomware attacks will continue to grow with advanced encryption techniques and delivery\r\nmechanisms.\r\nPalo Alto Networks customers with Cortex XDR, the Next-Generation Firewall and Advanced URL Filtering\r\nbenefit from protections against the attacks discussed in this article. Additionally, the malicious indicators\r\n(domains, URLs and hashes) can be prevented with our DNS Security and WildFire services.\r\nIf you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nIf you have cyber insurance, you can request Unit 42 by name. You can also take preventative steps by requesting\r\nany of our cyber risk management services, such as our Ransomware Readiness Assessment.\r\nIndicators of Compromise\r\nSHA256 Hashes Description\r\n2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef\r\n3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb\r\n840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d\r\nb5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec\r\nc75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df\r\ne75717be1633b5e3602827dc3b5788ff691dd325b0eddd2d0d9ddcee29de364f\r\nBlueSky Ransomware\r\nPayloads\r\n08f491d46a9d05f1aebc83d724ca32c8063a2613250d50ce5b7e8ba469680605\r\nObfuscated\r\nPowerShell\r\nDownloader\r\n969a4a55bb5cabc96ff003467bd8468b3079f5c95c5823985416c019eb8abe2f\r\nPowerShell\r\nDownloader\r\n(decoded)\r\nc4e47cba1c5fedf9ba522bc2d2de54a482e0ac29c98358390af6dadc0a7d65ce CVE-2020-0796\r\nSMBGhost Privilege\r\nhttps://unit42.paloaltonetworks.com/bluesky-ransomware/\r\nPage 8 of 10\n\nEscalation Exploit\r\ncf64c08d97e6dfa5588c5fa016c25c4131ccc61b8deada7f9c8b2a41d8f5a32c JuicyPotato\r\n6c94a1bc67af21cedb0bffac03019dbf870649a182e58cc5960969adf4fbdd48\r\nCVE-2021-1732\r\nPrivilege Escalation\r\nExploit\r\nRedLine\r\n58db85f0c86640b4c3a2584e9ef5696c526190faf87eaa19085737685bc9e7f5\r\n9ca0e858ff6f163a128fb699d2b801b6b13a2eb1d6cd995302effa5f587cd8d8\r\naecfc82fa44790e0533f0bece0a1ab0860b163838646aa0c019187a37326d477\r\nbe3e665d389e8b85ceda1e2fc80a41a247de27d1d0b13ee0c2574c1e36ebc6d4\r\nPowerShell\r\nDownloader\r\n4d696c106f568b99308565172116933c0e26ce2e9ace003a110e8bde0216ddab\r\naa7ff8badcffdff66df6d30bde51b6e3c960be0a3719b73d3875af8e1173bd94\r\nMSIL Downloader\r\n0dfe7a93ff40834c072c7fdd9381771b1086b67f545fa83c766b2d67a911e47b\r\n1a30e0d65a8a09abc3feb1c86a0619845fc6ab9bdba3ae8800ecec55a647910e\r\n624f129189a05897c176e9feb519521c1b6ef528b0b52e1a7a3290e5a2313a6b\r\nfe2e5df2fae90fb90b56e4ea268e8ca68f46dc3365c22b840d865193a48be189\r\nPayloads\r\nURLs\r\nhxxps://kmsauto[.]us/someone/l.exe\r\nhxxps://kmsauto[.]us/app1.bin\r\nhxxps://kmsauto[.]us/server.txt\r\nhxxps://kmsauto[.]us/encoding.txt\r\nhxxps://kmsauto[.]us/all.txt\r\nhxxps://kmsauto[.]us/someone/spooler.exe\r\nhxxps://kmsauto[.]us/sti/sti.bin\r\nhxxps://kmsauto[.]us/someone/potato.exe\r\nhxxps://kmsauto[.]us/someone/ghost.exe\r\nhxxps://kmsauto[.]us/someone/start.ps1\r\nRansom Note URLs\r\nhttp://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion\r\nRegistry Paths\r\nHKCU\\Software\\\u003c32-byte hex string\u003e\\completed\r\nhttps://unit42.paloaltonetworks.com/bluesky-ransomware/\r\nPage 9 of 10\n\nHKCU\\Software\\\u003c32-byte hex string\u003e\\recoveryblob\r\nHKCU\\Software\\\u003c32-byte hex string\u003e\\x25519_public\r\nMITRE TTPs\r\nAdditional Resources\r\nTracking the Operators of the Newly Emerged BlueSky Ransomware – by CloudSEK\r\nConti Ransomware Source Code – on GitHub @gharty03\r\nBabuk Ransomware v3 – by Chuong Dong\r\n2022 Unit 42 Ransomware Threat Report\r\n2022 Unit 42 Incident Response Report\r\nTable of Contents\r\nExecutive Summary\r\nInitial Dropper\r\nLocal Privilege Escalation\r\nRansomware Payload\r\nRansom Note\r\nAnti-Analysis Techniques\r\nRansomware Artifacts\r\nFile Encryption\r\nRedLine Infostealer Association\r\nConclusion\r\nIndicators of Compromise\r\nMITRE TTPs\r\nAdditional Resources\r\nRelated Articles\r\nVShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)\r\nA Peek Into Muddled Libra’s Operational Playbook\r\nKnow Ourselves Before Knowing Our Enemies: Threat Intelligence at the Expense of Asset Management\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/bluesky-ransomware/\r\nhttps://unit42.paloaltonetworks.com/bluesky-ransomware/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/bluesky-ransomware/"
	],
	"report_names": [
		"bluesky-ransomware"
	],
	"threat_actors": [
		{
			"id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8",
			"created_at": "2023-06-23T02:04:34.386651Z",
			"updated_at": "2026-04-10T02:00:04.772256Z",
			"deleted_at": null,
			"main_name": "Muddled Libra",
			"aliases": [
				"0ktapus",
				"Scatter Swine",
				"Scattered Spider"
			],
			"source_name": "ETDA:Muddled Libra",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0",
			"created_at": "2023-10-03T02:00:08.510742Z",
			"updated_at": "2026-04-10T02:00:03.374705Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"UNC3944",
				"Scattered Swine",
				"Octo Tempest",
				"DEV-0971",
				"Starfraud",
				"Muddled Libra",
				"Oktapus",
				"Scatter Swine",
				"0ktapus",
				"Storm-0971"
			],
			"source_name": "MISPGALAXY:Scattered Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9",
			"created_at": "2023-10-14T02:03:13.99057Z",
			"updated_at": "2026-04-10T02:00:04.531987Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"0ktapus",
				"LUCR-3",
				"Muddled Libra",
				"Octo Tempest",
				"Scatter Swine",
				"Scattered Spider",
				"Star Fraud",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "ETDA:Scattered Spider",
			"tools": [
				"ADRecon",
				"AnyDesk",
				"ConnectWise",
				"DCSync",
				"FiveTran",
				"FleetDeck",
				"Govmomi",
				"Hekatomb",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"Lumma Stealer",
				"LummaC2",
				"Mimikatz",
				"Ngrok",
				"PingCastle",
				"ProcDump",
				"PsExec",
				"Pulseway",
				"Pure Storage FlashArray",
				"Pure Storage FlashArray PowerShell SDK",
				"RedLine Stealer",
				"Rsocx",
				"RustDesk",
				"ScreenConnect",
				"SharpHound",
				"Socat",
				"Spidey Bot",
				"Splashtop",
				"Stealc",
				"TacticalRMM",
				"Tailscale",
				"TightVNC",
				"VIDAR",
				"Vidar Stealer",
				"WinRAR",
				"WsTunnel",
				"gosecretsdump"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434312,
	"ts_updated_at": 1775791852,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63ad02d45888a7a5208a7f01fd129a3330dfb63a.pdf",
		"text": "https://archive.orkl.eu/63ad02d45888a7a5208a7f01fd129a3330dfb63a.txt",
		"img": "https://archive.orkl.eu/63ad02d45888a7a5208a7f01fd129a3330dfb63a.jpg"
	}
}