CyFlare SOC Advisory – BlueSky Ransomware
Incident Report for CyFlare
Posted Date: 8/12/2022

Source(s): Palo Alto Network Unit 42

Sector: Security Vulnerability, Ransomware

Reported by: Palo Alto Network Unit 42

Date(s) Issued:

Subject: BlueSky ransomware

OVERVIEW: Identification of an emerging ransomware family known as “BlueSky” that is speculated to be connected to Conti ransomware group

SYSTEMS AFFECTED: Predominantly windows hosts

RISK: Businesses that are hit with ransomware can face several risks, including financial loss, data loss, and reputational damage

BlueSky ransomware is an emerging family that is utilizing multithreading in order to encrypt files on the host. An analysis of this ransomware shows that it may be connected to the Conti ransomware group.
The initial dropper for this ransomware is dropped by a PowerShell script from “hxxps://kmsauto[.]us/someone/start.ps1”, from there it preforms local privilege escalation techniques to download the final payload. This ransomware uses a multithreaded queue for faster encryption on its host. Encryption is preformed by using Curve25519 to generate a key pair, then uses the hash of this key to generate a file encryption key for the encryption algorithm ChaCha20.
Like with all ransomware, once the files are encrypted a ransom note will be created in order to demand payment to restore the encrypted files. This note is dropped in a directory where it has encrypted the files and will have the file extension “.bluesky”. However, it is strongly discouraged to pay the ransom in these situations, organizations like the Conti ransomware group don’t always restore files once payment is received. Companies that paid a ransom are frequently hit again and for a higher price.

Known BlueSky Artifacts:
• A generated user ID by computing MD5 hash over combined Volume Information, Machine GUID, Product ID and Install Date values
• HKCU\Software\\completed
• HKCU\Software\\recoveryblob
• HKCU\Software\\x25519_public

Indicators of Compromise:
• BlueSky Ransomware Payloads

o 2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef
o 3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb
o 840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d
o b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec
o c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df
o e75717be1633b5e3602827dc3b5788ff691dd325b0eddd2d0d9ddcee29de364f

• Obfuscated PowerShell Downloader
o 08f491d46a9d05f1aebc83d724ca32c8063a2613250d50ce5b7e8ba469680605

• PowerShell Downloader (decoded)
o 969a4a55bb5cabc96ff003467bd8468b3079f5c95c5823985416c019eb8abe2f

• CVE-2020-0796 SMBGhost Privilege Escalation Exploit
o c4e47cba1c5fedf9ba522bc2d2de54a482e0ac29c98358390af6dadc0a7d65ce

• JuicyPotato
o cf64c08d97e6dfa5588c5fa016c25c4131ccc61b8deada7f9c8b2a41d8f5a32c

• CVE-2021-1732 Privilege Escalation Exploit
o 6c94a1bc67af21cedb0bffac03019dbf870649a182e58cc5960969adf4fbdd48

• URLs
o hxxps://kmsauto[.]us/someone/l.exe
o hxxps://kmsauto[.]us/app1.bin
o hxxps://kmsauto[.]us/server.txt
o hxxps://kmsauto[.]us/encoding.txt
o hxxps://kmsauto[.]us/all.txt
o hxxps://kmsauto[.]us/someone/spooler.exe
o hxxps://kmsauto[.]us/sti/sti.bin
o hxxps://kmsauto[.]us/someone/potato.exe
o hxxps://kmsauto[.]us/someone/ghost.exe
o hxxps://kmsauto[.]us/someone/start.ps1

• Ransom Note URLs
o http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion

• Registry Paths
o HKCU\Software\\completed
o HKCU\Software\\recoveryblob
o HKCU\Software\\x25519_public

CyFlare Actions Taken:
• Stellar Cyber – BDS: The SOC has implemented custom detections in order to detect any currently known indicators of compromise listed in this advisory.
• SentinelOne: A custom STAR query has been developed to detect any of the currently known hash values listed in the indicators of compromise
• AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community.

Developing Situation:
The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.

Reference Links:

Should you have any questions or concerns please place a ticket with the SOC using or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC
Posted Aug 12, 2022 - 09:36 EDT
This incident affects: Breach Detection Service.