This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

FirstWatch Threat Spotlight – BlueSky Ransomware

manojpilli
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2023-10-17 08:31 AM

Introduction:

BlueSky Ransomware is a modern malware using advanced techniques to evade security defenses. It predominantly targets Windows hosts and utilizes the Windows multi-threading model for fast encryption and has been observed to spread via phishing emails, phishing websites, and trojanized downloads. BlueSky Ransomware was first noted on VirusTotal by researcher Kangxiaopao in late June 2022. Subsequently, analysts from CloudSek and Unit42 have documented some of BlueSky’s behavior.

Based on the information available, it seems that BlueSky Ransomware hasn't shared any stolen data with the public yet. Also, the Bitcoin wallets linked to BlueSky Ransomware samples haven't been used for any transactions. This suggests that this threat is still in its infancy.

Although infection rates are currently minimal, the ransomware's characteristics, which are detailed below, suggest it has been meticulously crafted for a sustained operational campaign. In this post, we delve into the latest intelligence regarding BlueSky ransomware to aid security teams in bolstering their defenses against this emerging threat.

Initial Dropper:

According to the research done by CloudSEK, the attack chain starts with a PowerShell dropper hosted on the URL “hxxps://kmsauto[.]us/someone/start[.]ps1” that downloads the BlueSky Ransomware payload from the URL “hxxps://kmsauto[.]us/someone/”. The PowerShell script is Base64-encoded and then compressed using DEFLATE, which is common behavior observed among PowerShell droppers. Below is the script screenshot.

 

PS_Script.png

 Figure 1: Encoded PowerShell (dropper) script

 

This domain was registered on September 2020 and impersonates an old activation tool dubbed KMSAuto Net Activator. It is believed to be operated by threat actors of Russian origin. Whois and DNS records provided the registered email address and contact number associated with the malicious website “kmsauto[.]us”, registered on 1 September 2020.  Activity analysis of the email reveals that the last edit was made in 2021, a year after the domain registration. The following pages on the website contain Russian words which loosely translate to criminal, religion, and economy.

        https[:]//kmsauto[.]us/v-mire/
        https[:]//kmsauto[.]us/kriminal/
        https[:]//kmsauto[.]us/religiya/
        https[:]//kmsauto[.]us/ekonomika/

 

CloudSEK’s investigation reveals that the following malicious binaries are also present in the same path mentioned above:

  • JuicyPotato
  • CVE-2022-21882
  • CVE-2020-0796 aka SMBGhost
  • BlueSky Ransomware

Website_image.jpeg

Figure 2: Image of the website KMS Auto activator

Overview of BlueSky Ransomware infection:

  • BlueSky ransomware is initially dropped via PowerShell script start.ps1 onto the intended system. Following the extraction, this PowerShell script downloads a bunch of payloads based on the victim's system privileges.

  • A modified version of JuicyPotato for versions before Windows 10 is downloaded and executed if the victim's machine is the least privileged.

  • If the host is running Windows 10 or later, the script will download and run ghost.exe and spooler.exe to exploit local privilege escalation vulnerabilities CVE-2020-0796 and CVE-2021-1732, respectively.

  • After gaining enhanced privileges, stage.ps1 downloads the BlueSky ransomware payload and stores it locally to the filesystem as javaw.exe, attempting to impersonate a legitimate Windows application.

  • BlueSky ransomware performs the encryption by utilizing IO completion ports. I/O completion ports provide an efficient threading model for processing multiple asynchronous input-output (I/O) requests on a multiprocessor system.

  • BlueSky ransomware has the ability to spread laterally across accessible networks by using SMB and the NetShareEnum() function.

Technical Details:

Significantly, before dropping the final BlueSky payload, the PowerShell dropper determines if it is being executed as a privileged user. If so, it moves to the next step and downloads and executes the ransomware payload. If not, it uses the following techniques to escalate local privileges, depending on the version of the host operating system. If the version of the host operating system is earlier than Windows 10, such as Windows 7, 8 or XP, then the script will download and execute a modified version of the local privilege escalation tool called JuicyPotato. If the host is running Windows 10 or later, then the script will download and execute ghost.exe and spooler.exe to exploit local privilege escalation vulnerabilities CVE-2020-0796 and CVE-2021-1732, respectively.

Vulnerabilities being exploited to gain privileges are as below.

  • CVE-2020-0796: Windows SMBv3 Client/Server Remote Code Execution Vulnerability
    Products Effected: Windows 10: 1903 - 1909 and Windows Server 2019: 1903 - 1909

  • CVE-2021-1732: Windows Win32k Elevation of Privilege Vulnerability
    Products Effected: Windows 10: 2004 and Windows Server 2019: 2004

After gaining additional privileges, PowerShell dropper downloads the final BlueSky ransomware payload from hxxps://kmsauto[.]us/someone/I.exe and saves it locally to the filesystem as javaw.exe, attempting to masquerade as a legitimate Windows application. Eventually, the sample executes from the file path

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\javaw.exe.

Deobfuscated_Powershell_marks.png

Figure 3: Decoded PowerShell script showing above mentioned activities.

 

Encryption and Ransom note:

 

Upon infection, BlueSky uses fast encryption techniques to rapidly process files on the target and connected hosts. Encrypted files will be marked with the “.bluesky” extension. Victims are instructed to contact the attackers via a TOR-based portal to obtain a decrypter. Multiple BTC addresses have been recorded for the ransom demanded by BlueSky suggesting that different victims are given different BTC addresses.

Proof_Encryption.JPG

 

Figure 4: Before and after Encryption of system files with BlueSky Ransomware

 

BlueSky drops the ransom note as a text file named # DECRYPT FILES BLUESKY #.txt and an HTML file named # DECRYPT FILES BLUESKY #.html in a local directory where it has encrypted files successfully and renamed them with the file extension .bluesky. The content of these 2 files is shown below.

 

Ransom_Note.JPG

Figure 5: Ransome note .txt format.

 

Instructions.JPG

 Figure 6: Ransome note .html format.

 

File encryption limitations: Unlike other ransomware, which normally contains a list of file extensions to identify eligible files for encryption, BlueSky consists of a list of extensions that are negated in the file encryption process.

The file extensions excluded by BlueSky are listed below:

ldf, scr, icl, 386, cmd, ani, adv, theme, msi, rtp, diagcfg, msstyles, bin, hlp, shs, drv, wpx, bat, rom, msc, lnk, cab, spl, ps1, msu, ics, key, msp, com, sys, diagpkg, nls, diagcab, ico, lock, ocx, mpa, cur, cpl, mod, hta, exe, ini, icns, prf, dll, bluesky, nomedia, idx

The files with the following user data extensions are specifically targeted:

ckp, dbs, mrg, qry, wdb, sqlite3, dbc, dwg, dbt, mwb, sdb, db, sqlitedb, mdf, db3, dbv, myd, sql, sqlite, db-shm, dacpac, dbf, frm, ndf, tmd, accdb, db-wal

Directory names excluded from encryption:

$recycle.bin, $windows.~bt, $windows.~ws, boot, windows, windows.old, system volume information, perflogs, programdata, program files, program files (x86), all users, appdata, tor browser

Filenames excluded from encryption:

# decrypt files bluesky #.txt, # decrypt files bluesky #.html, ntuser.dat, iconcache.db, ntuser.dat.log, bootsect.bak, autorun.inf, bootmgr, ntldr, thumbs.db


Activities detected during sample payload execution:


Accessing_kmsauto.JPG

 

Figure 7: Ransomware sample resolving and accessing payload.

Enumerate_System_Drives.JPG

Enumerate_System_Drives.png

 

Figure 8: Sample enumerating all the connected storage drives.

Adjust_Previlage.JPG

 Figure 9: Sample using Adjust Privilege Token.

threadhidefromdebugger.png

Figure 10: Sample using “NtSetInformationThread” function with “ThreadHideFromDebugger”.

Delete_Shadow_Copy.JPG

 Figure 11: Ransomware sample deleting shadow copies.

Generating Victim ID

 

BlueSky Ransomware generates a victim ID unique to the infected system by combining and hashing the below system information with MD5. 

  • MachineGuid (4 Bytes) from SOFTWARE\\Microsoft\\Cryptography
  • DigitalProductId & InstallDate from SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
  • Disk Serial number of C:\

After generating the unique ID, it uses the same ID to generate the mutex “Global\\{generated_id}” where generated victim ID will be of length 32-byte. Before execution of the encryption function, the ransomware writes data needed for the recovery of the locked files in the registry as shown in figure 12.

 

Registry_Entry.png

 Figure 12: Registry Entries of mutex and the subsequent values

Below are the stored values for the created registry key HKCU\Software\<32-byte ID>

  • Completed: Once the encryption process is completed, this entry is set with a value of 1
  • RECOVERYBLOB: Is a fingerprint identifier for the compromised organization. To store the recovery information, BlueSky ransomware uses “ChaCha20 + Curve25519 + RC4” and “ChaCha20 + Curve25519” for the encryption.
  • x25519_public: Public key information.

Multi-Threading used in encryption:

BlueSky Ransomware uses a multithreaded queue for the encryption process. It starts multiple threads, one responsible for file encryption, another for enumerating files on the local file system and mounted network shares to be added into the queue. Below is the flow chart for the same.


multi_threading.png

Figure 13: Threading model using the IO ports.


Evasion techniques and anti-forensic activities used:

 

It is observed that BlueSky ransomware operators used sophisticated evasion techniques to be not able to detect by any of the security tools. The techniques are as mentioned below.

  1. The ransomware operators encode and encrypt malicious samples.
  2. Utilize multi-staged payload delivery and loading.
  3. String encryption
  4. API obfuscation allows it to obfuscate Windows API function names and use indirect calls for resolving APIs.
  5. Encoding API names using DJB hashing functions which makes it difficult for malware analysis.

Links with other ransomware families:


BlueSky ransomware is speculated to have connections with the Conti ransomware because of following reasons.

  • BlueSky Ransomware was tagged along with the Conti ransomware on various file analyzing engines and sample sharing websites.
  • These two groups share common signature instances.
  • The code fingerprints from samples of BlueSky ransomware can be connected to the Conti ransomware group. In particular, the multithreaded architecture of BlueSky bears code similarities with Conti v3, and the network search module is an exact replica of it.
  • There are certain differences in the file encryption routine. Conti v3 uses RSA- and AES-based file encryption, whereas BlueSky utilizes Curve25519 and ChaCha20 based file encryption.

conti_bluesky.png

 Figure 14: BlueSky Ransomware sample is being detected as Conti Ransomware.


The file encryption of BlueSky Ransomware is similar to Babuk Ransomware. Where both use Curve25519 to generate a public key for the host and generate a shared key with the public key of the attacker. After generating an elliptic curve key pair, BlueSky computes a hash of the shared key, and uses it to generate a file encryption key for the ChaCha20 algorithm. Finally, it reads the file buffer, encrypts it with ChaCha20 and replaces the contents of the original file.

 

NetWitness Detections for any ransomware infections:
Application Rules - Endpoint:

boc= "enumerates system info"
boc= "deletes shadow volume copies"
boc= "scheduled tasks via schtasks.exe"
boc= "creates executable in startup directory"
boc= "modifies winlogon registry settings"
boc= "deletes backup catalog"
boc= "disables windows defender using powershell"
boc= "deletes shadow volume copies"
boc= "deletes shadow volume copies using powershell"
boc= "disables windows audit policy"
boc= "base64 decoding with shell utilities"
boc= "enumerates file information"
boc= "lists directory structure of a path"
boc= "starts local service"
boc= "stops diagtrack service"
boc= "stops error reporting service"
boc= "stops security service"

 

All the above rules are currently available from NetWitness Live. After deploying/importing them on to NetWitness stack, these can be seen under Investigate -> Navigate upon detecting any Ransomware related activity in the customer environment.

 

Indicators of compromise:

 

BlueSky Ransomware Payloads

2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef

3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb

840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d

b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec

c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df

e75717be1633b5e3602827dc3b5788ff691dd325b0eddd2d0d9ddcee29de364f

Obfuscated PowerShell Dropper

08f491d46a9d05f1aebc83d724ca32c8063a2613250d50ce5b7e8ba469680605

969a4a55bb5cabc96ff003467bd8468b3079f5c95c5823985416c019eb8abe2f

CVE-2020-0796 SMBGhost Privilege Escalation Exploit

 c4e47cba1c5fedf9ba522bc2d2de54a482e0ac29c98358390af6dadc0a7d65ce

JuicyPotato

cf64c08d97e6dfa5588c5fa016c25c4131ccc61b8deada7f9c8b2a41d8f5a32c

CVE-2021-1732 Privilege Escalation Exploit

6c94a1bc67af21cedb0bffac03019dbf870649a182e58cc5960969adf4fbdd48

URLs

hxxps://kmsauto[.]us/someone/l.exe

hxxps://kmsauto[.]us/someone/spooler.exe

hxxps://kmsauto[.]us/someone/potato.exe

hxxps://kmsauto[.]us/someone/ghost.exe

hxxps://kmsauto[.]us/someone/start.ps1

Registry Paths

HKCU\Software\<32-byte hex string>\completed

HKCU\Software\<32-byte hex string>\recoveryblob

HKCU\Software\<32-byte hex string>\x25519_public

 

MITRE ATT&CK Information

T1486 - Data Encrypted for Impact: BlueSky can use CreateIoCompletionPort(), PostQueuedCompletionStatus() and GetQueuedCompletionPort() to rapidly encrypt files.

T1140 - Deobfuscate/Decode Files or Information: BlueSky downloader base64-decodes and decompresses data to unpack the next stage payload. BlueSky ransomware payload encrypts ransom note with rc4-based encryption, and it uses a custom encryption scheme to encrypt embedded strings.

T1083 - File and Directory Discovery: BlueSky can discover files on a local system.

T1106 - Native API: BlueSky has used API calls during execution.

T1135 - Network Share Discovery: BlueSky can enumerate remote open SMB network shares using NetShareEnum().

T1027 - Obfuscated Files or Information: BlueSky can use API obfuscation to protect its functionality from analysis.

T1049 – System Network Connections Discovery: BlueSky can scan for connected devices.


T1422 – System Network Configuration Discovery: BlueSky can scan for connected devices.


T1083 – File and Directory Discovery: BlueSky can scan files for enumeration as well as for encryption.


T1012 – Query Registry: BlueSky will Query registry for System information.


T1082 – System Information Discovery: BlueSky will get for System information to generate victim ID.


T1021.002 – Remote Services: SMB/Windows Admin Shares: BlueSky can enumerate remote open SMB network shares and Admin shares.


T0809 – Data Destruction: BlueSky can destroy data and files on a system.

Conclusion:


Cyber criminals behind ransomware attacks are continuously adapting to advanced tactics, making it increasingly challenging for cybersecurity defenses to thwart their activities. These evolving techniques encompass encoding and encrypting malicious code, along with the implementation of multi-staged payload delivery methods. Notably, the BlueSky ransomware strain demonstrates exceptional proficiency by swiftly encrypting files on victim machines using multi-threaded processing capabilities. Furthermore, it employs obfuscation strategies, such as API hashing, to impede reverse engineering efforts by security analysts.


It is very likely that ransomware attacks will continue to grow with advanced encryption techniques and delivery mechanisms.


BlueSky ransomware shows that even today, cyber criminals still use basic but very effective social engineering techniques to deceive people. When we are looking for cracked software, we must know that there is always a price and, in this case, it is a ransomware with a high ransom. So, it is necessary to educate people not to install cracked software on company computers or personal devices. It is a simple but effective way to stop similar threats.

The search for emerging threats is one of the core activities at NetWitness FirstWatch and we believe that BlueSky warrants close attention.

 

Thank you @ArthurF for valuable feedback.

 

References:

[1] https://www.cloudsek.com/threatintelligence/tracking-the-operators-of-the-newly-emerged-bluesky-ransomware
[2] https://unit42.paloaltonetworks.com/bluesky-ransomware/
[3] https://www.cloudsek.com/blog/technical-analysis-of-bluesky-ransomware
[4] https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/
[5] https://yoroi.company/research/dissecting-bluesky-ransomware-payload/

© 2022 RSA Security LLC or its affiliates. All rights reserved.