{
	"id": "a37481a6-a936-4fc7-be30-f7afcf978838",
	"created_at": "2026-04-06T00:10:40.662896Z",
	"updated_at": "2026-04-10T13:12:45.634319Z",
	"deleted_at": null,
	"sha1_hash": "db0ec525eba1f189b1a95b552b314ab0b8453611",
	"title": "Technical Analysis of BlueSky Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 665044,
	"plain_text": "Technical Analysis of BlueSky Ransomware\r\nBy No items found.\r\nPublished: 2025-08-21 · Archived: 2026-04-05 23:21:01 UTC\r\nAuthor: Anandeshwar Unnikrishnan\r\nCo-author: Aastha Mittal\r\nCategory:\r\nMalware Intelligence\r\nType/Family:\r\nRansomware\r\nIndustry:\r\nMultiple\r\nRegion:\r\nGlobal\r\nWhat is BlueSky Ransomware?\r\nBlueSky Ransomware is a modern malware using advanced techniques to evade security defences. It predominantly targets\r\nWindows hosts and utilizes the Windows multithreading model for fast encryption. It first emerged in late June 2022 and has\r\nbeen observed to spread via phishing emails, phishing websites, and trojanized downloads.\r\nThis deep-dive analysis of BlueSky Ransomware covers the following technical aspects:\r\nProcedure for privilege escalation\r\nPersistence\r\nEncryption mechanism\r\nEvasion techniques\r\nInitial Phase\r\nThe modules required for the ransomware are dynamically loaded and addresses of interesting functions are stored in\r\nan array for later use.\r\nThe addresses of the following list of APIs are resolved:\r\nAPIs Stored\r\nntdll.RtlAllocateHeap kernel32.CreateFileW kernel32.SetFilePointer kernel32.CloseHandle kernel3\r\nntdll.FreeHeap kernel32.FindClose kernel32.GetFileSizeEx kernel32.SetFileAttributesW kernel3\r\nkernel32.FindFirstFileExW kernel32.ReadFile kernel32.GetQueuedCompletionStatus kernel32.MoveFileWithProgress kernel3\r\nkernel32.FindNextFileW kernel32.WriteFile kernel32.PostQueuedCompletionStatus kernel32.lstrCatW kernel3\r\nAfter loading the required libraries, the ransomware proceeds to perform the following tasks:\r\nChecks that the running process is 32 bit via kernel32.IsWow64Process\r\nDecrypts strings\r\nAdjust the privilege of the process to SE_DEBUG via ntdll.RtlAdjustPrivilege\r\nRetrieves the following:\r\nMachineGUID from SOFTWARE\\\\Microsoft\\\\Cryptography\r\nDigitalProductID and InstallDate from SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\r\nHides the main thread from debugger by calling ntdll.ZwSetInformationThread by passing\r\nThreadHideFromDebugger (0x11) as ThreadInformationClass\r\nThe ransomware updates the status as “Completed” after the initial phase and the user data is locked.\r\nLocking of user data after initial phase\r\nMutex Generation\r\nThe ransomware creates a global mutex by calling kernel32.CreateMutexA API.\r\nMutex Creation\r\nhttps://cloudsek.com/technical-analysis-of-bluesky-ransomware/\r\nPage 1 of 9\n\nString Decoding\r\nThe ransomware decodes all the strings at runtime. Listed below are various extensions avoided while locking, user data\r\nextensions locked, and directory names for file enumeration.\r\nBlacklisted Extensions\r\nThe ransomware leaves the files with the following blacklisted extensions from locking.\r\nBlacklisted Extensions\r\n“ldf” “icl” “bin” “spl” “diagcab” “ini” “theme” “hta”\r\n“scr” “386” “hlp” “ps1” “ico” “icns” “rtp” “diagpkg”\r\n“icl” “cmd” “shs” “msu” “lock” “prf” “msc” “rtp”\r\n“386” “ani” “drv” “ics” “ocx” “dll” “sys” “msstyles”\r\n“cmd” “adv” “wpx” “key” “mpa” “bluesky” “mod” “cab”\r\n“ani” “theme” “bat” “msp” “cur” “nomedia” “msi” “nls”\r\n“adv” “msi” “rom” “com” “cpl” “idx” “diagcfg” “exe”\r\n“lnk”\r\nUser Data Extensions\r\nThe files with the following user data extensions are specifically targeted.\r\nUser Data Extensions\r\n“ckp” “dbs” “mrg” “qry” “wdb” “sqlite3” “dbc”\r\n“dwg” “dbt” “mwb” “sdb” “db” “sqlitedb” “mdf”\r\n“db3” “dbv” “myd” “sql” “sqlite” “db-shm” “dacpac”\r\n“dbf” “frm” “ndf” “tmd” “accdb” “db-wal”\r\nDirectory Names\r\nThe ransomware uses these directory names for file enumeration purpose.\r\nDirectory Names\r\n“$recycle.bin” “boot” “windows” “perflogs” “appdata”\r\n“program files” “windows.old” “all users” ” users” “programdata”\r\n“$windows.~ws” “system volume information” “$windows.~bt” “program files (x86)”\r\nPre-Encryption\r\nCryptographic Algorithm\r\nCryptographic context is a type of additional authenticated data consisting of non-secret arbitrary name-value pairs. During\r\nthe initialization phase, the ransomware acquires cryptographic context from advapi32.CryptAcquireContext API. The\r\ncryptographic provider used by the malware is “Microsoft Enhanced Cryptographic Provider v1.0” and the encryption\r\nscheme selected is RSA.\r\nAcquiring cryptographic context\r\nRecovery Data\r\nBefore the execution of the encryption function, the ransomware writes data needed for the recovery of the locked files in\r\nthe registry. The following data is written:\r\nhttps://cloudsek.com/technical-analysis-of-bluesky-ransomware/\r\nPage 2 of 9\n\nRECOVERY BLOB\r\nX25519 public key\r\nWriting data needed for recovery of locked files\r\nUpdated view of the registry\r\nRansom Note\r\nIf writing the decryption data fails, the ransomware will not execute the routine responsible for the encryption of user data.\r\nAfter a successful registry operation, the ransomware generates a ransom note as the initial task in the function that performs\r\nthe locking.\r\nRansom note generation\r\nThe following steps are performed:\r\nA random and unique recovery ID for the victim is generated and stored in the heap buffer.\r\nThe Bluesky ransomware creates ransom note in “.txt” and “.html” formats.\r\nTwo blocks of 1000 (4096) bytes of heap memory are allocated to hold the final ransom notes.\r\nTwo temporary buffers (txt_ransom_note_buffer and html_ransom_note_buffer) are allocated to hold encoded notes\r\nretrieved from the binary.\r\nA place format string specifier is used as a placeholder for the recovery ID generated in the initial step.\r\nThe function “sub_2866E0” is responsible for formatting the note by replacing the “%s” with the recovery ID value\r\nwhich is 242 characters long.\r\nThe result is then stored in memory, to be later used by the function responsible for writing the note to the filesystem.\r\nDecoded note in the buffer\r\nProcess Termination\r\nAfter creating the ransom note, the ransomware enumerates the processes running on the compromised system. The\r\nntdll.ZwQuerySystemInformation API is called by passing the SystemInformation class (0x5) to get the process list from\r\nthe system. The list is used by the ransomware to selectively kill the processes.\r\nEnumeration of processes running on the compromised system\r\nhttps://cloudsek.com/technical-analysis-of-bluesky-ransomware/\r\nPage 3 of 9\n\nProcess Termination Task\r\nThe following steps are performed to terminate the running processes:\r\nThe ransomware starts to analyze the process structure to retrieve the image name and uses\r\nshlwapi.PathRemoveExtensionW API to remove the extension (.exe) from the name.\r\nOnce the name of the process without extension is retrieved, the ransomware calls sub_2869B0 to calculate the size\r\nof the process name.\r\nNext a call is made to sub_2868C0 to convert the characters to lowercase for uniformity.\r\nFinally, a custom byte encoding is used to convert the string to a hex value.\r\nThe generated hex value is checked against an array of encoded values of processes to be terminated.\r\nProcess names the threat actor wants to terminate\r\nAt the initial phase the handle to “Shell_Traywnd”, which is obtained using user32.FindWindowA, is passed to the\r\nGetWindowThreadProcessId API in order to get the process ID of explorer.exe. (explorer.exe is responsible for\r\ncreating “Shell_Traywnd”). The process ID is stored in the memory.\r\nIf there is a match, the target process ID, obtained at the initial phase, is passed to sub_2910F0.\r\nThe malware checks if the process ID is of its own process or of explorer.exe. After the check, a handle to process is\r\nretrieved via kernel32.OpenProcess API.\r\nOnly “non-critical” processes are terminated to prevent bug check (Blue Screen of Death). If the passed process\r\nhandle is not critical, it is terminated via kernel32.TerminateProcess.\r\nThe function sub_2910F0\r\nhttps://cloudsek.com/technical-analysis-of-bluesky-ransomware/\r\nPage 4 of 9\n\nThe ransomware calls ntdll.NtQueryInformationProcess by passing ProcessBreakOnTermination (0x1d) as the\r\nInformationClass to identify critical processes.\r\nCall to NtQueryInformationProcess Class\r\nEmpty Recycle Bin\r\nFollowing the process termination, the ransomware empties the recycle bin by calling shell32.SHEmptyRecycleBinA.\r\nEmptying the recycle bin\r\nEncryption\r\nThreading Model: Windows IO Completion Ports in Nutshell\r\nThe Bluesky ransomware performs the encryption by utilizing IO completion ports. I/O completion ports provide an\r\nefficient threading model for processing multiple asynchronous input-output (I/O) requests on a multiprocessor\r\nsystem.\r\nThreading model using the IO ports\r\nThe main thread creates the IO completion port via CreateIOCompletionPort. The created port can be associated\r\nwith many file handles. When the asynchronous IO operation on one of the file handles is completed, an IO\r\ncompletion packet is queued in FIFO order to the associated port.\r\nThe worker thread performs a call to PostQueuedCompletionStatus to enqueue the associated data. In the case of\r\nransomware, the data will be the absolute path of the user files waiting in the queue to get encrypted.\r\nAnother worker thread performs GetQueuedCompletionStatus to dequeue the contents from the main queue.\r\nUsually, in ransomware, this thread is responsible for performing encryption and ransom note generation.\r\nThe following section contains an depth description of each of the above-mentioned functions.\r\nCreateIOCompletionPort\r\nThe call to CreateIOCompletionPort involves the following steps:\r\nThe main thread retrieves the processor count from the PEB (Process Environment Block) structure.\r\nA call to CreateIoCompletionPort is made by passing processor count as NumberOfConcurrentThreads parameter\r\nvalue.\r\nMultiple worker threads are created by calling kernel32.CreateThread.\r\nFor each thread, an affinity mask (a bit mask indicating what processor a thread should run on) is set by calling\r\nkernel32.SetThreadAffinityMask.\r\nThe main thread performs basic drive enumeration and calls PostQueuedCompletionStatus.\r\nhttps://cloudsek.com/technical-analysis-of-bluesky-ransomware/\r\nPage 5 of 9\n\nCalling CreatIoCompletionPort\r\nRetrieving processor count from PEB\r\nPostQueuedCompletionStatus Function\r\nFollowing APIs are used for drive enumeration on the system:\r\nkernel32.GetLogicalDriveStringsW\r\nkernel32.GetDriveTypeW\r\nFurther enumeration of files is performed by creating worker thread for PostQueuedCompletionStatus.\r\nCreation of worker thread for PostQueuedCompletionStatus\r\nThe main thread calls mpr.WNetOpenEnumW for enumerating network resources and creates a worker thread same as\r\nabove that performs the PostQueuedCompletionStatus call.\r\nCalling mpr.WNetOpenEnumW function\r\nWorker Thread: PostQueuedCompletionStatus\r\nhttps://cloudsek.com/technical-analysis-of-bluesky-ransomware/\r\nPage 6 of 9\n\nThe worker thread that performs the PostQueuedCompletionStatus\r\nThe newly created thread for PostQueuedCompletionStatus leads to the following:\r\nThe files are enumerated via kernel32.FindFirstFileExW and kernel32.FindNextFileW.\r\nIf it is a directory, the thread function is recursively called to perform the file enumeration.\r\nIf it is a user file, then the absolute path is enqueued to the completion queue via PostQueuedCompletionStatus\r\ncall.\r\nThis worker thread is responsible for gathering the files for encryption.\r\nWorker Thread: GetQueuedCompletionStatus\r\nThis worker thread is responsible for doing the actual locking of the user files. The ransomware hides this thread from the\r\ndebugger via ntdll.ZwSetInformationThread by passing ThreadHideFromDebugger as the ThreadInformationClass.\r\nCalling ntdll.ZwSetInformationThread function\r\nThe thread decodes the file extension “.bluesky” and proceeds to perform the encryption. The\r\nkernel32.GetQueuedCompletionStatus is called in an infinite loop to retrieve the absolute path of the user data.\r\nDecoding file extension “.bluesky”\r\nThe sub_288780 function is responsible for encrypting the data. The thread checks if the dequeued item is a directory or a\r\nfile.\r\nIf it is a file then it proceeds to encrypt the data by using the following APIs:\r\nkernel32.CreateFileW\r\nkernel32.SetFilePointer\r\nkernel32.ReadFile\r\nkernel32.WriteFile\r\nIf the item is a directory then sub_28EDA0 is executed to dump the ransom note. The file name strings are decoded\r\ndynamically.\r\nFile name strings being decoded\r\nhttps://cloudsek.com/technical-analysis-of-bluesky-ransomware/\r\nPage 7 of 9\n\nExecution of sub_28EDA0\r\nThe note content generated by the ransomware is written on the disk by calling:\r\nkernel32.CreateFileW\r\nkernel32.WriteFile\r\nRansom note being written on the disk\r\nPost Encryption\r\nOnce the user data is successfully locked, the ransomware performs the following operations:\r\nReleases the mutex created at the initial phase\r\nSets the thread state to ES_Continous\r\nDestroys the allocated heap\r\nExits the process via kernel32.ExitProcess\r\nPost encryption functions\r\nIndicators of Compromise(IoCs)\r\nMD5\r\n961fa85207cdc4ef86a076bbff07a409\r\n53c95a43491832f50e96327c1d23da40\r\n5ef5cf7dd67af3650824cbc49ffa9999\r\nefec04688a493077cea9786243c25656\r\nd8a44d2ed34b5fee7c8e24d998f805d9\r\n848974fba78de7f3f3a0bbec7dd502d4\r\nAppendix\r\nRansom Note in .txt format\r\nhttps://cloudsek.com/technical-analysis-of-bluesky-ransomware/\r\nPage 8 of 9\n\nRansom Note in .html format\r\nSource: https://cloudsek.com/technical-analysis-of-bluesky-ransomware/\r\nhttps://cloudsek.com/technical-analysis-of-bluesky-ransomware/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cloudsek.com/technical-analysis-of-bluesky-ransomware/"
	],
	"report_names": [
		"technical-analysis-of-bluesky-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434240,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db0ec525eba1f189b1a95b552b314ab0b8453611.pdf",
		"text": "https://archive.orkl.eu/db0ec525eba1f189b1a95b552b314ab0b8453611.txt",
		"img": "https://archive.orkl.eu/db0ec525eba1f189b1a95b552b314ab0b8453611.jpg"
	}
}