Bluesky
Description
BlueSky ransomware first emerged in July 2022 and is characterized by aggressive, high-speed file encryption using a multithreaded architecture. Written with code elements reminiscent of Conti v3, it encrypts files using ChaCha20 secured with RSA‑4096, and further employs Curve25519 for key agreement. Delivery commonly comes through trojanized downloads from risky websites (e.g., “crack” or “keygen” hosts) or phishing emails. The malware also spreads laterally via SMB and evades detection by hiding threads using NtSetInformationThread. Once deployed, it renames encrypted files with the .bluesky extension and drops ransom notes in both HTML and TXT formats. Unlike double-extortion threats, BlueSky does not operate a public leak site and appears focused solely on disrupting file access. Observed activity spans large enterprises to SMBs, but the volume of attacks remained relatively low through early 2023.
| External Analysis |
| https://www.watchguard.com/wgrd-ransomware/bluesky |
| https://www.sentinelone.com/anthology/bluesky/ |
| https://www.unit42.paloaltonetworks.com/bluesky-ransomware/ |
| https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants |
| https://www.cloudsek.com/blog/technical-analysis-of-bluesky-ransomware |
| Urls |
Screen |
| http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion |
Screen |