Ransomware is malicious software that is designed to encrypt files on the victim’s system or device and demand a ransom in exchange for the decryption key or tools. BlueSky is a modern ransomware that uses multiple techniques for security evasions and device infection. It targets Windows hosts & encrypts the files on the system using multi-threading.
BlueSky was first spotted in June 2022. A deeper analysis of the multithread architecture of BlueSky ransomware has revealed code resemblance to Conti v3. Additionally, it has been found that the BlueSky ransomware uses the ChaCha20 algorithm for file encryption and Curve25519 for key generation which marks its similarity to Babuk ransomware.
How does BlueSky Ransomware infect a system?
The ransomware uses downloads from fake sites and phishing emails for initial infection. Once the user clicks on the malicious link, a PowerShell script is dropped in the target device using a Base64-encoded initial dropper. After extraction, it launches another PowerShell script which contains multiple comments to overshadow the malicious code.
This code analyzes the device configuration and downloads multiple payloads in accordance with the configuration to increase the privilege of the script. Some examples of these payloads include JuicyPotato, CVE-2022-21882, and SMBGhost. These payloads allow the script to run as a privileged user and gain access to all files on the system.
What does BlueSky Ransomware do?
Once the ransomware code runs successfully, it encrypts the files on the system. The encrypted files are saved with a new file extension ‘.bluesky’. For example, if a file was initially saved as ‘1.pptx’ on the system, it will be saved as ‘1.pptx.bluesky’ after encryption.
After encrypting all files, the ransomware drops two ransomware notes (one in html format and other in txt format) on the desktop. The notes are identical in contents and inform the user about the ransomware attack & ways to contact the cyber criminals via their Tor network.
The ransomware notes also contain warnings against the use of decryption methods other than contacting cyber criminals as it may lead to permanent encryption of files.
The website of the ransomware attackers creates a panic environment by stating decryption fees on the first day and then increasing ransom after week 1. It also states
How to stay protected against BlueSky Ransomware?
Prevention is the best action against BlueSky ransomware. Exercise following cautionary practices to stay protected against BlueSky ransomware.
- Make sure to download software from the official website only.
- Do not crack software & always use authentic activation tools provided by the developer to activate the software.
- Be cautious with emails and avoid clicking on links in irrelevant or suspicious emails.
- It is highly important to install an antivirus on the system and keep it updated.
- Regularly scan your system.
For more information about cybersecurity solutions, contact Centex Technologies. You can call the following office locations - Killeen (254) 213 - 4740, Dallas (972) 375 - 9654, Atlanta (404) 994 - 5074, and Austin (512) 956 – 5454.