BlueSky Ransomware is a new extension discovered by researchers and has many similarities to another famous group, known as Conti.
BlueSky began spreading rapidly on the internet through a fake encryption website. By sending their files to be encrypted, the victim would receive them contaminated with the ransomware and all their data would be encrypted.
The encryption adds the extension “.bluesky” to all files preventing access to them. Also two ransom notes with the names “# DECRYPT FILES BLUESKY #.txt” and “# DECRYPT FILES BLUESKY #.html” are pinned to the desktop with instructions on how to get your files back again.
The amounts required by the group in the first week are 0.1 Bitcoin, after the 7 day deadline the amount increases to 0.2 Bitcoin. After the 14-day period has passed since the start of the attack, the victim loses the chance to get the decryption key through negotiation.
So far, there is nothing unusual when compared to other ransomware groups. However, what has been catching the attention of researchers is the similarity with two other extensions, the Conti and Babuk ransomware.
Through investigation, it was possible to identify that BlueSky uses the same search module as Conti V3, literally an exact copy of the task.
And with regard to Babuk, the similarities are even greater, because if we analyze both the encryption algorithm (ChaCha20) and the key generator (Curve25519), the same is used by both groups.
So far there is not enough evidence to confirm that the extensions are linked.
Recover files encrypted by BlueSky ransomware
Digital Recovery has specialized in recent years in the recovery of data encrypted by ransomware. With over 23 years in the market, we have acquired the expertise to deal with lost files in various storage models, including: Virtual Machines, RAID, Storage, Databases, Magnetic tapes and others.
We know that ransomware attacks can completely paralyze a company’s operation. With this in mind, we have a team available to work in emergency mode to deliver your data in the shortest possible time, operating up to 24 hours a day for this.
And to avoid damaging a company’s name or reputation, we value the confidentiality of our operations. Therefore, in each case we provide a Non-Disclosure Agreement (NDA).