- CloudSEK’s contextual AI digital risk platform XVigil discovered a financially motivated ransomware group, dubbed BlueSky, speculated to be connected to the Conti ransomware group.
- The Bluesky ransomware encrypts the victim’s files with ‘
.bluesky’ extension and drops a ransom note.
- Multiple BTC addresses have been recorded for the ransom demanded by BlueSky suggesting that different victims are given different BTC addresses.
- A Twitter post indicates that one of the BTC addresses has transacted around 1.59 BTC while the other one has no recorded transactions so far.
- BlueSky ransomware sample was discovered on the open web under a filename ‘javaw.exe’ of size 71KB.
- The ‘javaw.exe’ file was found to be dropped by another file called ‘2.ps1’, a text file of 16.84KB.
- Further investigation reveals that 2.ps1 communicated with a fake domain impersonating KMSAuto Net Activator, the oldest activation tool.
Screenshot of a KMS Auto website that seems to be legitimate
The malicious file 2.ps1 probably communicates as a C2 server with the fake domain (https://kmsauto.us/someone/l.exe).
- Different executables, including BlueSky ransomware, can be dropped using the path: https[:]//kmsauto[.]us/someone.
- CloudSEK’s investigation reveals that the following malicious binaries can be executed using the path mentioned above:
- CVE-2020-0796 aka SMBGhost
- BlueSky Ransomware
- Whois and DNS records provided the registered email address and contact number associated with the malicious website kmsauto[.]us, registered on 1 September 2020.
- Further research reveals that the contact number belongs to the Krasnodar region in Russia and it is also active on WhatsApp.
- Activity analysis of the email reveals that the last edit was made in 2021, a year after the domain registration.
The website operator most likely originates from Russia because:
- They have social media mentions on VK which is the largest Russian line media and social networking service.
- The following pages on the website contain Russian words which loosely translate to criminal, religion, and economy.
BlueSky ransomware is speculated to have connections with the Conti ransomware because:
- It was tagged along with the Conti ransomware on various file analyzing engines and sample sharing websites.
- Ṭhe two groups share common signature instances.
Based on the results from VirusTotal and Triage, following are the IOCs for BlueSky ransomware.
|C:\msocache\# DECRYPT FILES BLUESKY #.txt|
- *Intelligence source and information reliability – Wikipedia
- #Traffic Light Protocol – Wikipedia
|<<< B L U E S K Y >>>
YOUR IMPORTANT FILES, DOCUMENTS, PHOTOS, VIDEOS, DATABASES HAVE BEEN ENCRYPTED!
The only way to decrypt and restore your files is with our private key and program.
Any attempts to restore your files manually will damage your files.
To restore your files follow these instructions:
1. Download and install “Tor Browser” from https://torproject.org/
2. Run “Tor Browser”
3. In the tor browser open website:
4. On the website enter your recovery id:
RECOVERY ID: 1cb4ef8d3f4652f6e33e870c57ddf5db5c70ca9f61eba6078cdc257ee321efcd830d6aa60ee7584a012ae9164852ed112adc9f1fdac2f88b8825cf341a09d608
5. Follow the instructions
Ransom note left by BlueSky ransomwareDNS records for the URL: kmsauto[.]us Screenshot of the fake website associated with KMS Auto that drops BlueSky ransomware
Whois records of the domains kmsauto[.]us Image of different paths on the malicious website