Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Bluesky

115
Global rank
102 infographic chevron month
Month rank
129 infographic chevron week
Week rank
0
IOCs

BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.

Ransomware
Type
Unknown
Origin
1 May, 2022
First seen
17 January, 2025
Last seen

How to analyze Bluesky with ANY.RUN

Type
Unknown
Origin
1 May, 2022
First seen
17 January, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Release Notes: System Updates, New YARA and S...
watchers 197
comments 0
post image
3 Major Cyber Attacks in January 2025
watchers 1401
comments 0
post image
Interlock Ransomware: Analysis of Attacks on...
watchers 1190
comments 0

What is BlueSky ransomware?

BlueSky ransomware is a strain of malicious software that encrypts files on a victim's system, rendering them inaccessible until a ransom is paid. First detected in June 2022, it shares similarities with other notorious ransomware families like Conti and Babuk.

BlueSky spreads through methods such as phishing emails, malicious links, and network protocols like SMB (port 445 TCP). Once inside a system, it uses advanced evasion techniques, such as hiding threads from debuggers, to avoid detection. It targets both files and processes, encrypting files with RSA encryption and adding the ".bluesky" extension to them while maintaining operational stability by avoiding critical system processes.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

BlueSky ransomware technical details

BlueSky ransomware encrypts files on the infected system, spreads through network shares, and uses advanced evasion techniques to avoid detection.

The primary functionalities of BlueSky ransomware include:

  • Uses RSA encryption to lock files and adds a ".bluesky" extension to the affected files.
  • Avoids system-critical processes while terminating secondary ones to optimize encryption without causing a system crash.
  • Utilizes advanced anti-debugging techniques such as hiding threads from debuggers through the NtSetInformationThread API.
  • Writes specific registry keys, including x25519_pub and RECOVERYBLOB, which are essential for the encryption and decryption process.
  • Uses multi-threading to efficiently handle file encryption tasks, targeting both local files and network shares through SMB.

BlueSky ransomware execution process

To see how BlueSky operates, let’s upload its sample to the ANY.RUN sandbox.

BlueSky ransomware specifically targets files and processes for encryption. However, it strategically avoids critical system processes to prevent system crashes that could halt the encryption process prematurely. This selective targeting allows it to continue encrypting files while the system remains operational.

Encrypted files are marked with the “.bluesky” extension, and a ransom note is left in the directories containing the encrypted files.

Bluesky in ANY.RUN sandbox BlueSky ransom note displayed in ANY.RUN’s sandbox

Before the encryption takes place, the ransomware writes critical information to the system’s registry, such as x25519_pub and RECOVERYBLOB. These are used by the attackers to potentially decrypt files if the ransom is paid.

Bluesky registry manipulation Registry changes displayed by the ANY.RUN’s sandbox

One of BlueSky’s key features is its evasion tactics. It hides execution threads from debuggers using the NtSetInformationThread API, making it difficult for analysts and security tools to track its behavior in real-time. This advanced anti-debugging capability ensures that the malware can run stealthily in a compromised environment, minimizing the chances of detection.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

BlueSky ransomware distribution methods

Similar to other malware families like AsyncRAT and Lumma Stealer, BlueSky ransomware is distributed through a variety of methods, making it a versatile and dangerous threat. Here are the primary distribution methods:

  • Phishing emails: Delivered via emails containing malicious attachments or links that prompt users to download and execute ransomware.
  • SMB protocol (Server Message Block): Spreads across networks using SMB (Port 445 TCP), which makes it possible to infect multiple machines.
  • Trojanized software: Embedded in cracked or pirated software, which users unknowingly download from unreliable sources.
  • Malicious links: Spread through phishing websites or compromised legitimate sites, directing users to download the malware.

Gathering Threat Intelligence on BlueSky Ransomware

To gather up-to-date intelligence on BlueSky ransomware, use Threat Intelligence Lookup.

This service gives you access to a vast database of threat data, built on millions of malware analysis sessions conducted in the ANY.RUN sandbox. It allows you to search using over 40 parameters, such as IPs, file names, domains, and process artifacts. Bluesky lookup search Search query for Bluesky in ANY.RUN’s Threat Intelligence Lookup

Searching for BlueSky-related terms, such as threatName:"BlueSky", in TI Lookup brings up results related to this ransomware, including associated samples, network activity, and command-and-control (C2) communication.

Test the capabilities of Threat Intelligence Lookup and the ANY.RUN sandbox.

Conclusion

BlueSky ransomware is a dangerous threat due to its file encryption, network propagation, and advanced evasion techniques. To combat this, it's essential to use tools like ANY.RUN and proactively analyze suspicious files before they cause damage. ANY.RUN provides a real-time malware analysis platform, allowing users to safely investigate and understand malware behavior, while delivering detailed reports for actionable insights.

Sign up for a free ANY.RUN account today to start analyzing threats like BlueSky.

HAVE A LOOK AT

Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More
X-Files screenshot
X-Files
xfiles
X-FILES Stealer is a sophisticated malware designed to infiltrate systems and steal sensitive information, targeting login credentials for email, social media, and other personal accounts. It captures data and transmits it back to the attacker’s command-and-control server. X-FILES Stealer employs advanced evasion techniques to avoid detection, making it a persistent threat in the cyber landscape.
Read More
Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More
Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More