đ CloudSEK has raised $19M Series B1 Round â Powering the Future of Predictive Cybersecurity
Read More
Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!
Schedule a DemoAuthor: Anandeshwar Unnikrishnan
Co-author: Aastha Mittal
Category:
Malware Intelligence |
Type/Family:
Ransomware |
Industry:
Multiple |
Region:
Global |
---|
BlueSky Ransomware is a modern malware using advanced techniques to evade security defences. It predominantly targets Windows hosts and utilizes the Windows multithreading model for fast encryption. It first emerged in late June 2022 and has been observed to spread via phishing emails, phishing websites, and trojanized downloads.
This deep-dive analysis of BlueSky Ransomware covers the following technical aspects:
APIs Stored | |||||
---|---|---|---|---|---|
ntdll.RtlAllocateHeap | kernel32.CreateFileW | kernel32.SetFilePointer | kernel32.CloseHandle | kernel32.lstCmpW | advapi32.CryptGenRandom |
ntdll.FreeHeap | kernel32.FindClose | kernel32.GetFileSizeEx | kernel32.SetFileAttributesW | kernel32.OpenProcess | shlwapi.PathCombineW |
kernel32.FindFirstFileExW | kernel32.ReadFile | kernel32.GetQueuedCompletionStatus | kernel32.MoveFileWithProgress | kernel32.TerminateProcess | shlwapi.PathRemoveExtensionW |
kernel32.FindNextFileW | kernel32.WriteFile | kernel32.PostQueuedCompletionStatus | kernel32.lstrCatW | kernel32.WaitForSingleObject |
The ransomware creates a global mutex by calling kernel32.CreateMutexA API.
The ransomware decodes all the strings at runtime. Listed below are various extensions avoided while locking, user data extensions locked, and directory names for file enumeration.
The ransomware leaves the files with the following blacklisted extensions from locking.
Blacklisted Extensions | |||||||
---|---|---|---|---|---|---|---|
“ldf” | “icl” | “bin” | “spl” | “diagcab” | “ini” | “theme” | “hta” |
“scr” | “386” | “hlp” | “ps1” | “ico” | “icns” | “rtp” | “diagpkg” |
“icl” | “cmd” | “shs” | “msu” | “lock” | “prf” | “msc” | “rtp” |
“386” | “ani” | “drv” | “ics” | “ocx” | “dll” | “sys” | “msstyles” |
“cmd” | “adv” | “wpx” | “key” | “mpa” | “bluesky” | “mod” | “cab” |
“ani” | “theme” | “bat” | “msp” | “cur” | “nomedia” | “msi” | “nls” |
“adv” | “msi” | “rom” | “com” | “cpl” | “idx” | “diagcfg” | “exe” |
“lnk” |
The files with the following user data extensions are specifically targeted.
User Data Extensions | ||||||
---|---|---|---|---|---|---|
“ckp” | “dbs” | “mrg” | “qry” | “wdb” | “sqlite3” | “dbc” |
“dwg” | “dbt” | “mwb” | “sdb” | “db” | “sqlitedb” | “mdf” |
“db3” | “dbv” | “myd” | “sql” | “sqlite” | “db-shm” | “dacpac” |
“dbf” | “frm” | “ndf” | “tmd” | “accdb” | “db-wal” |
The ransomware uses these directory names for file enumeration purpose.
Directory Names | ||||
---|---|---|---|---|
“$recycle.bin” | “boot” | “windows” | “perflogs” | “appdata” |
“program files” | “windows.old” | “all users” | ” users” | “programdata” |
“$windows.~ws” | “system volume information” | “$windows.~bt” | “program files (x86)” |
Cryptographic context is a type of additional authenticated data consisting of non-secret arbitrary name-value pairs. During the initialization phase, the ransomware acquires cryptographic context from advapi32.CryptAcquireContext API. The cryptographic provider used by the malware is âMicrosoft Enhanced Cryptographic Provider v1.0â and the encryption scheme selected is RSA.
Before the execution of the encryption function, the ransomware writes data needed for the recovery of the locked files in the registry. The following data is written:
If writing the decryption data fails, the ransomware will not execute the routine responsible for the encryption of user data. After a successful registry operation, the ransomware generates a ransom note as the initial task in the function that performs the locking.
The following steps are performed:
After creating the ransom note, the ransomware enumerates the processes running on the compromised system. The ntdll.ZwQuerySystemInformation API is called by passing the SystemInformation class (0x5) to get the process list from the system. The list is used by the ransomware to selectively kill the processes.
The following steps are performed to terminate the running processes:
Following the process termination, the ransomware empties the recycle bin by calling shell32.SHEmptyRecycleBinA.
The call to CreateIOCompletionPort involves the following steps:
Following APIs are used for drive enumeration on the system:
Further enumeration of files is performed by creating worker thread for PostQueuedCompletionStatus.
The main thread calls mpr.WNetOpenEnumW for enumerating network resources and creates a worker thread same as above that performs the PostQueuedCompletionStatus call.
The newly created thread for PostQueuedCompletionStatus leads to the following:
This worker thread is responsible for doing the actual locking of the user files. The ransomware hides this thread from the debugger via ntdll.ZwSetInformationThread by passing ThreadHideFromDebugger as the ThreadInformationClass.
The thread decodes the file extension â.blueskyâ and proceeds to perform the encryption. The kernel32.GetQueuedCompletionStatus is called in an infinite loop to retrieve the absolute path of the user data.
The sub_288780 function is responsible for encrypting the data. The thread checks if the dequeued item is a directory or a file.
The note content generated by the ransomware is written on the disk by calling:
Once the user data is successfully locked, the ransomware performs the following operations:
MD5 |
---|
961fa85207cdc4ef86a076bbff07a409 |
53c95a43491832f50e96327c1d23da40 |
5ef5cf7dd67af3650824cbc49ffa9999 |
efec04688a493077cea9786243c25656 |
d8a44d2ed34b5fee7c8e24d998f805d9 |
848974fba78de7f3f3a0bbec7dd502d4 |
Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.
On 23 October 2023, CloudSEKâs Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.
Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.