Tracking the Operators of the Newly Emerged BlueSky Ransomware

Originally published at:



Adversary Intelligence









Executive Summary

  • BlueSky ransomware actively targeting organizations and demanding ransom in BTC.
  • Speculated to have connections with Conti ransomware group.
  • Access to the organization’s network and infrastructure.
  • Exposed credentials could reveal business practices and IP.
  • Implement strong password policy and MFA.
  • Implement security configurations on network infrastructure devices.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a financially motivated ransomware group, dubbed BlueSky, speculated to be connected to the Conti ransomware group.
  • The Bluesky ransomware encrypts the victim’s files with.blueskyextension and drops a ransom note.
  • Multiple BTC addresses have been recorded for the ransom demanded by BlueSky suggesting that different victims are given different BTC addresses.
  • A Twitter post indicates that one of the BTC addresses has transacted around 1.59 BTC while the other one has no recorded transactions so far.

Information from OSINT

  • BlueSky ransomware sample was discovered on the open web under a filename ‘javaw.exe’ of size 71KB.
  • The ‘javaw.exe’ file was found to be dropped by another file called ‘2.ps1’, a text file of 16.84KB.
  • Further investigation reveals that 2.ps1 communicated with a fake domain impersonating KMSAuto Net Activator, the oldest activation tool.


Screenshot of a KMS Auto website that seems to be legitimate

The malicious file 2.ps1 probably communicates as a C2 server with the fake domain (

  • Different executables, including BlueSky ransomware, can be dropped using the path: https[:]//kmsauto[.]us/someone.
  • CloudSEK’s investigation reveals that the following malicious binaries can be executed using the path mentioned above:
    • JuicyPotato
    • CVE-2022-21882
    • CVE-2020-0796 aka SMBGhost
    • BlueSky Ransomware

Website Operator

  • Whois and DNS records provided the registered email address and contact number associated with the malicious website kmsauto[.]us, registered on 1 September 2020.
Admin Oxxxxxxxxx
Admin Email
Admin Phone +xxxxxxx
  • Further research reveals that the contact number belongs to the Krasnodar region in Russia and it is also active on WhatsApp.
Details associated with the contact number registered on Whois


  • Activity analysis of the email reveals that the last edit was made in 2021, a year after the domain registration.
Details associated with the email address registered on Whois


The website operator most likely originates from Russia because:

  • They have social media mentions on VK which is the largest Russian line media and social networking service.
  • The following pages on the website contain Russian words which loosely translate to criminal, religion, and economy.
    • https[:]//kmsauto[.]us/v-mire/
    • https[:]//kmsauto[.]us/kriminal/
    • https[:]//kmsauto[.]us/religiya/
    • https[:]//kmsauto[.]us/ekonomika/

Links with Conti Ransomware

BlueSky ransomware is speculated to have connections with the Conti ransomware because:

  • It was tagged along with the Conti ransomware on various file analyzing engines and sample sharing websites.
  • Ṭhe two groups share common signature instances.
Screenshot of the BlueSky & Conti ransomwares tagged together


Impact & Mitigation

Impact Mitigation
  • Infiltration into the organization’s infrastructure and network.
  • Leak of crucial business practices and Intellectual Property (IP).
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Implement security configurations on network infrastructure devices.

Indicators of Compromise (IOCs)

Based on the results from VirusTotal and Triage, following are the IOCs for BlueSky ransomware.

Ransom Note
C:\msocache\# DECRYPT FILES BLUESKY #.txt



Image of Bluesky decrypter


<<< B L U E S K Y >>>


The only way to decrypt and restore your files is with our private key and program.

Any attempts to restore your files manually will damage your files.

To restore your files follow these instructions:


1. Download and install “Tor Browser” from

2. Run “Tor Browser”

3. In the tor browser open website:


4. On the website enter your recovery id:

RECOVERY ID: 1cb4ef8d3f4652f6e33e870c57ddf5db5c70ca9f61eba6078cdc257ee321efcd830d6aa60ee7584a012ae9164852ed112adc9f1fdac2f88b8825cf341a09d608


5. Follow the instructions


Ransom note left by BlueSky ransomware

DNS records for the URL: kmsauto[.]us Screenshot of the fake website associated with KMS Auto that drops BlueSky ransomware


Whois records of the domains kmsauto[.]us Image of different paths on the malicious website