Ransomware - BlueSky

BlueSky
Decryptor Available
Yes
Description

BlueSky is yet another Conti v2 derivative. However, this variant isn't a direct clone. The threat actors behind the BlueSky ransomware appear to have taken some inspiration from other big-named ransomware. For example, researchers state that much of the codebase is shared with Conti v2, but some researchers speculate that the encryption routine is similar to Babuk. Additionally, other researchers highlight the similarities with the TargetCompany ransomware. The WatchGuard Threat Lab performed its own technical analysis to get to the bottom of it. We determined that the code base most resembles Conti v2, so we designated the official Lineage as just that. It's certainly possible that the threat actors drew inspiration from Babuk and TargetCompany.

Through open-source research, we were able to locate 9 samples of BlueSky, all with similar features and ransom notes. Interestingly, BlueSky drops 2 ransom notes - "# DECRYPT FILES BLUESKY #.html" and "# DECRYPT FILES BLUESKY #.txt." Both ransom notes display the same information but in different formats. In addition to dropping the ransom notes, BlueSky encrypts files using ChaCha20 and RSA-4096 to perform file encryption. However, it also uses Curve25519 for key generation, which is where the Babuk similarities lie. After encryption, it renames files to include bluesky at the end (<file name>.bluesky).

The threat actors created a dark web domain for extortion negotiations where they also blackmailed victims into paying quickly, or prices would increase. However, we found no evidence that they posted these extortions publicly, and thus they never performed double extortions. This ransomware was active from late June 2022 until early 2023. We noticed the last instance of a BlueSky ransomware attack in January 2023.

Ransomware Type
Crypto-Ransomware
First Seen
Last Seen
Extortion Types
Direct Extortion
Extortion Price Increases
Extortion Amounts
Amount
0.05BTC($1,046)
Communication
Medio
Identificador
TOR
Encryption
Type
Hybrid
Files
ChaCha20
Key
RSA-4096
Additional Encryption
Curve25519
File Extension
<file name>.bluesky
Ransom Note Name
# DECRYPT FILES BLUESKY #.html
# DECRYPT FILES BLUESKY #.txt
2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef
3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb
840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d
9e302bb7d1031c0b2a4ad6ec955e7d2c0ab9c0d18d56132029c4c6198b91384f
b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec
c3d5248230230e33565c04019801892174a6e5d8f688d61002e369b0b9e441ff
c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df
d6386b2747335f7b0d13b1f69d995944ad8e9b71e09b036dbc0b907e583d857a
e75717be1633b5e3602827dc3b5788ff691dd325b0eddd2d0d9ddcee29de364f