Free Phone Consultation For New Clients | CONTACT NOW

Tracking the Operators of the Newly Emerged BlueSky Ransomware

CloudSEK discovered a financially motivated ransomware group, dubbed BlueSky, speculated to be connected to the Conti ransomware group.

BlueSky’s operators are primarily focused on attacking the US, European and Asian regions, unlike Conti which mainly targets the Latin American region. The ransomware is distributed from a public service called "CloudFront" which allows for the distribution of content through a global CDN.

Bluesky has taken over or inherited some operations of its predecessor Conti, as BlueSky was observed to use some old Conti samples to spread its malware such as 'BUSINESS_KEEP_COOL'.

In addition, we have identified that the BlueSky group has also used the same infrastructure as Conti. The distribution of the new samples was initiated on 25 June 2018, followed by a massive campaign in July. It appears that despite not being in operation for long, they are already one of the most active ransomware groups currently active.

CloudSEK has discovered that the BlueSky group has at least 2 main operators, both of whom are based in Colombia (and possibly other countries). They are also known as "Montana", "Elvis" and "Roberto".

BlueSky continues to be distributed from a public CDN, called CloudFront. The infrastructure and all of the files used by BlueSky were built from scratch at different times by the two main operators. These operators have shown some skills in building up their own infrastructure, as well as self-hosting some files that are downloaded from other sources such as GitHub.

It is currently unknown if BlueSky’s operation is being continued by one of the initial Conti group members (such as "Mauricio"), or if this is a new effort. Conti stopped its operations at the end of 2016 after CloudSEK published its leading actor profile, "Conti Unmasked”.

Source: Tracking the Operators of the Newly Emerged BlueSky Ransomware - AlienVault - Open Threat Exchange

Need secure managed IT services in the Greenville, SC, area?