Category: Adversary Intelligence	Industry: Multiple	Motivation: Financial	Region: Global	Source: C2

Executive Summary

THREAT	IMPACT	MITIGATION
BlueSky ransomware actively targeting organizations and demanding ransom in BTC. Speculated to have connections with Conti ransomware group.	Access to the organization’s network and infrastructure. Exposed credentials could reveal business practices and IP.	Implement strong password policy and MFA. Implement security configurations on network infrastructure devices.

Analysis and Attribution

Information from the Post

• CloudSEK’s contextual AI digital risk platform XVigil discovered a financially motivated ransomware group, dubbed BlueSky, speculated to be connected to the Conti ransomware group.
• The Bluesky ransomware encrypts the victim’s files with ‘.bluesky’ extension and drops a ransom note.
• Multiple BTC addresses have been recorded for the ransom demanded by BlueSky suggesting that different victims are given different BTC addresses.
• A Twitter post indicates that one of the BTC addresses has transacted around 1.59 BTC while the other one has no recorded transactions so far.

Information from OSINT

• BlueSky ransomware sample was discovered on the open web under a filename ‘javaw.exe’ of size 71KB.
• The ‘javaw.exe’ file was found to be dropped by another file called ‘2.ps1’, a text file of 16.84KB.
• Further investigation reveals that 2.ps1 communicated with a fake domain impersonating KMSAuto Net Activator, the oldest activation tool.

  [caption id="attachment_19994" align="aligncenter" width="1141"] Screenshot of a KMS Auto website that seems to be legitimate[/caption] The malicious file 2.ps1 probably communicates as a C2 server with the fake domain (https://kmsauto.us/someone/l.exe).

• Different executables, including BlueSky ransomware, can be dropped using the path: https[:]//kmsauto[.]us/someone.
• CloudSEK’s investigation reveals that the following malicious binaries can be executed using the path mentioned above:
  • JuicyPotato
  • CVE-2022-21882
  • CVE-2020-0796 aka SMBGhost
  • BlueSky Ransomware

Website Operator

• Whois and DNS records provided the registered email address and contact number associated with the malicious website kmsauto[.]us, registered on 1 September 2020.

Admin	Oxxxxxxxxx
Admin Email	[email protected]
Admin Phone	+xxxxxxx

• Further research reveals that the contact number belongs to the Krasnodar region in Russia and it is also active on WhatsApp.

[caption id="attachment_19995" align="aligncenter" width="388"] Details associated with the contact number registered on Whois[/caption]  

• Activity analysis of the email reveals that the last edit was made in 2021, a year after the domain registration.

[caption id="attachment_19996" align="aligncenter" width="1025"] Details associated with the email address registered on Whois[/caption]   The website operator most likely originates from Russia because:

• They have social media mentions on VK which is the largest Russian line media and social networking service.
• The following pages on the website contain Russian words which loosely translate to criminal, religion, and economy.
  • https[:]//kmsauto[.]us/v-mire/
  • https[:]//kmsauto[.]us/kriminal/
  • https[:]//kmsauto[.]us/religiya/
  • https[:]//kmsauto[.]us/ekonomika/

Links with Conti Ransomware

BlueSky ransomware is speculated to have connections with the Conti ransomware because:

• It was tagged along with the Conti ransomware on various file analyzing engines and sample sharing websites.
• Ṭhe two groups share common signature instances.

[caption id="attachment_19997" align="aligncenter" width="1241"] Screenshot of the BlueSky & Conti ransomwares tagged together[/caption]  

Impact & Mitigation

Impact	Mitigation
Infiltration into the organization’s infrastructure and network. Leak of crucial business practices and Intellectual Property (IP).	Monitor for anomalies in user accounts, which could indicate possible account takeovers. Implement security configurations on network infrastructure devices.

Indicators of Compromise (IOCs)

Based on the results from VirusTotal and Triage, following are the IOCs for BlueSky ransomware.

MD5
d8a44d2ed34b5fee7c8e24d998f805d9
SHA-1
d8369cb0d8ccec95b2a49ba34aa7749b60998661
SHA-256
3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb
Ransom Note
C:\msocache\# DECRYPT FILES BLUESKY #.txt
IPv4
https://kmsauto.us/someone/l.exe

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• Twitter

Appendix

[caption id="attachment_19998" align="aligncenter" width="1268"] Image of Bluesky decrypter[/caption]  

<<< B L U E S K Y >>> YOUR IMPORTANT FILES, DOCUMENTS, PHOTOS, VIDEOS, DATABASES HAVE BEEN ENCRYPTED! The only way to decrypt and restore your files is with our private key and program. Any attempts to restore your files manually will damage your files. To restore your files follow these instructions: -------------------------------------------------------------- 1. Download and install "Tor Browser" from https://torproject.org/ 2. Run "Tor Browser" 3. In the tor browser open website: http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion 4. On the website enter your recovery id: RECOVERY ID: 1cb4ef8d3f4652f6e33e870c57ddf5db5c70ca9f61eba6078cdc257ee32 1efcd830d6aa60ee7584a012ae9164852ed112adc9f1fdac2f88b8825cf341a09d608 6b83089f168c645fa748435d01718c3b8202a094aa2397 ca36ee7d7dca372b7a6b52bb60768b51610d92b8ae0ecf31504a0b3b31aa76c047 5. Follow the instructions --------------------------------------------------------------

Ransom note left by BlueSky ransomware [caption id="attachment_19999" align="aligncenter" width="551"] DNS records for the URL: kmsauto[.]us[/caption]  [caption id="attachment_20000" align="aligncenter" width="1079"] Screenshot of the fake website associated with KMS Auto that drops BlueSky ransomware[/caption]   [caption id="attachment_20001" align="aligncenter" width="1040"] Whois records of the domains kmsauto[.]us[/caption]  [caption id="attachment_20002" align="aligncenter" width="447"] Image of different paths on the malicious website[/caption]