Tracking the Operators of the Newly Emerged BlueSky Ransomware

Originally published at: https://cloudsek.com/threatintelligence/tracking-the-operators-of-the-newly-emerged-bluesky-ransomware/

 

Category:

Adversary Intelligence

Industry:

Multiple

Motivation:

Financial

Region:

Global

Source:

C2

Executive Summary

THREAT IMPACT MITIGATION
  • BlueSky ransomware actively targeting organizations and demanding ransom in BTC.
  • Speculated to have connections with Conti ransomware group.
  • Access to the organization’s network and infrastructure.
  • Exposed credentials could reveal business practices and IP.
  • Implement strong password policy and MFA.
  • Implement security configurations on network infrastructure devices.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a financially motivated ransomware group, dubbed BlueSky, speculated to be connected to the Conti ransomware group.
  • The Bluesky ransomware encrypts the victim’s files with.blueskyextension and drops a ransom note.
  • Multiple BTC addresses have been recorded for the ransom demanded by BlueSky suggesting that different victims are given different BTC addresses.
  • A Twitter post indicates that one of the BTC addresses has transacted around 1.59 BTC while the other one has no recorded transactions so far.

Information from OSINT

  • BlueSky ransomware sample was discovered on the open web under a filename ‘javaw.exe’ of size 71KB.
  • The ‘javaw.exe’ file was found to be dropped by another file called ‘2.ps1’, a text file of 16.84KB.
  • Further investigation reveals that 2.ps1 communicated with a fake domain impersonating KMSAuto Net Activator, the oldest activation tool.

 

Screenshot of a KMS Auto website that seems to be legitimate

The malicious file 2.ps1 probably communicates as a C2 server with the fake domain (https://kmsauto.us/someone/l.exe).

  • Different executables, including BlueSky ransomware, can be dropped using the path: https[:]//kmsauto[.]us/someone.
  • CloudSEK’s investigation reveals that the following malicious binaries can be executed using the path mentioned above:
    • JuicyPotato
    • CVE-2022-21882
    • CVE-2020-0796 aka SMBGhost
    • BlueSky Ransomware

Website Operator

  • Whois and DNS records provided the registered email address and contact number associated with the malicious website kmsauto[.]us, registered on 1 September 2020.
Admin Oxxxxxxxxx
Admin Email xxxxxxxxx@gmail.com
Admin Phone +xxxxxxx
  • Further research reveals that the contact number belongs to the Krasnodar region in Russia and it is also active on WhatsApp.
Details associated with the contact number registered on Whois

 

  • Activity analysis of the email reveals that the last edit was made in 2021, a year after the domain registration.
Details associated with the email address registered on Whois

 

The website operator most likely originates from Russia because:

  • They have social media mentions on VK which is the largest Russian line media and social networking service.
  • The following pages on the website contain Russian words which loosely translate to criminal, religion, and economy.
    • https[:]//kmsauto[.]us/v-mire/
    • https[:]//kmsauto[.]us/kriminal/
    • https[:]//kmsauto[.]us/religiya/
    • https[:]//kmsauto[.]us/ekonomika/

Links with Conti Ransomware

BlueSky ransomware is speculated to have connections with the Conti ransomware because:

  • It was tagged along with the Conti ransomware on various file analyzing engines and sample sharing websites.
  • Ṭhe two groups share common signature instances.
Screenshot of the BlueSky & Conti ransomwares tagged together

 

Impact & Mitigation

Impact Mitigation
  • Infiltration into the organization’s infrastructure and network.
  • Leak of crucial business practices and Intellectual Property (IP).
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Implement security configurations on network infrastructure devices.

Indicators of Compromise (IOCs)

Based on the results from VirusTotal and Triage, following are the IOCs for BlueSky ransomware.

MD5
d8a44d2ed34b5fee7c8e24d998f805d9
SHA-1
d8369cb0d8ccec95b2a49ba34aa7749b60998661
SHA-256
3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb
Ransom Note
C:\msocache\# DECRYPT FILES BLUESKY #.txt
IPv4
https://kmsauto.us/someone/l.exe

References

Appendix

Image of Bluesky decrypter

 

<<< B L U E S K Y >>>

YOUR IMPORTANT FILES, DOCUMENTS, PHOTOS, VIDEOS, DATABASES HAVE BEEN ENCRYPTED!

The only way to decrypt and restore your files is with our private key and program.

Any attempts to restore your files manually will damage your files.

To restore your files follow these instructions:

————————————————————–

1. Download and install “Tor Browser” from https://torproject.org/

2. Run “Tor Browser”

3. In the tor browser open website:

http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion

4. On the website enter your recovery id:

RECOVERY ID: 1cb4ef8d3f4652f6e33e870c57ddf5db5c70ca9f61eba6078cdc257ee321efcd830d6aa60ee7584a012ae9164852ed112adc9f1fdac2f88b8825cf341a09d608

6b83089f168c645fa748435d01718c3b8202a094aa2397ca36ee7d7dca372b7a6b52bb60768b51610d92b8ae0ecf31504a0b3b31aa76c047

5. Follow the instructions

————————————————————–

Ransom note left by BlueSky ransomware

DNS records for the URL: kmsauto[.]us Screenshot of the fake website associated with KMS Auto that drops BlueSky ransomware

 

Whois records of the domains kmsauto[.]us Image of different paths on the malicious website