BlueSky Ransomware Detection: Targets Windows Hosts and Leverages Multithreading for Faster Encryption

[post-views]
August 16, 2022 · 4 min read
BlueSky Ransomware Detection: Targets Windows Hosts and Leverages Multithreading for Faster Encryption

BlueSky ransomware represents a rapidly evolving malware family that involves sophisticated anti-analysis capabilities and constantly enhances its evasion techniques. BlueSky ransomware targets Windows hosts and relies on a multithreading technique for faster file encryption. Cybersecurity researchers attribute the revealed ransomware patterns to the adversary activity of the infamous Conti ransomware group, which has long been a severe threat to global organizations. Notably, the multithreaded code structure of BlueSky malicious strains bears resemblance to the third version of the Conti Gang ransomware, which applies an enhanced encryption routine based on the multithreading and advanced evasion techniques.

Detect BlueSky Ransomware

To ensure timely protection from the BlueSky ransomware strains in the organization’s environment, SOC Prime’s platform has recently released a new Sigma rule developed by our keen Threat Bounty content contributor Kyaw Pyiyt Htet (Mik0yan). Follow the link below to reach the dedicated Sigma rule available directly from SOC Prime’s Cyber Threats Search Engine, along with comprehensive contextual metadata:

Possible BlueSky Ransomware Persistence Activity By Detection of Associated Registry Keys (via Registy_Event)

This Sigma-based threat hunting query detects the associated registry keys of BlueSky ransomware. The detection is convertible to 22 SIEM, EDR, and XDR solutions supported by SOC Prime’s platform and is aligned with the MITRE ATT&CK® framework addressing the Persistence and Defense Evasion tactics along with the corresponding Boot or Logon Autostart Execution (T1547) and Modify Registry (T1112) techniques.

Using SOC Prime’s Quick Hunt module, cybersecurity practitioners can instantly search for the adversary activity associated with the BlueSky ransomware by running the above-mentioned query in their SIEM or EDR environment.

Are you a seasoned Detection Engineer eager to contribute to collaborative cyber defense? Join SOC Prime’s Threat Bounty Program, submit your own Sigma rules, get them published to our Detection as Code platform, and get recurrent rewards while making the world a safer place.

To keep abreast of rapidly evolving ransomware attacks, security teams can leverage the entire collection of relevant Sigma rules available in SOC Prime’s platform by clicking the Detect & Hunt button below. Non-registered SOC Prime users can also gain from our Cyber Threats Search Engine and explore the comprehensive contextual information related to ransomware, including MITRE ATT&CK and CTI references and more relevant metadata by clicking the Explore Threat Context button below.

Detect & Hunt Explore Threat Context

BlueSky Ransomware Analysis

In early August 2022, security experts discovered a novel ransomware family posing an increasing menace for organizations globally. Dubbed BlueSky, the new threat mainly targets Windows hosts and leverages a multithreading technique for faster data encryption. Additionally, the malware applies a variety of advanced evasion and obfuscation techniques to fly under the radar and ensure high infection rates.

According to the inquiry by CloudSEK, the attack kill chain starts with a PowerShell dropper that downloads the BlueSky payload from hxxps://kmsauto[.]us/someone/start.ps1. This fake domain registered in September 2020 impersonates an old activation tool dubbed KMSAuto Net Activator. With a high level of confidence, it is believed to be operated by threat actors of russian origin.

Notably, before dropping the final BlueSky payload, the PowerShell dropper performs local privilege escalation either with the help of the JuicyPotato tool or by exploiting CVE-2020-0796 and CVE-2021-1732 vulnerabilities. Then, the final ransomware payload lands on the victim’s host as a javaw.exe file, attempting to masquerade as a legitimate Windows application.

At the next stage of the attack, BlueSky encrypts users’ files adding the .bluesky file extension. The ransomware utilizes a multithreading approach to ensure an ultrafast encryption process. This multithread architecture shares similarities with the Conti v3 strain however, BlueSky applies different encryption algorithms. Unit42 research reveals that BlueSky ransomware leverages ChaCha20 for file encryption and Curve25519 for key, which resembles the Babuk ransomware routine. 

Also, BlueSky ransomware leverages sophisticated evasion tricks. Notably, ransomware operators encode and encrypt malicious samples, utilize multi-staged payload delivery and loading, and adopt obfuscation techniques, such as API hashing.

As ransomware attacks grow in scope and scale, security researchers require innovative tools to detect emerging threats and stay one step ahead of attackers. Join SOC Prime’s Detection as Code platform to spot the latest attacks with the world’s largest collection of Sigma rules, improve the log source and MITRE ATT&CK coverage, and actively contribute to boosting your organization’s cyber defense capabilities. Seasoned Threat Hunters and Detection Engineers are more than welcome to join Threat Bounty Program – SOC Prime’s crowdsourcing initiative, to share their detection algorithms with the cybersecurity community, contribute to collaborative cyber defense, and gain repeated payouts for their input.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts