Due to a breach believed to be in the form of BlueSky ransomware,
we would like to confirm the situation and provide a warning as follows.

BlueSky ransomware

The ransomware in question is called BlueSky and has a file name.extension. It appears that all files are being changed using bluesky.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It is produced in C++ and uses encrypted internal API functions, making accurate analysis difficult. After the encryption process is complete, a value is created under HKCUSOFTWARE to record whether encryption has been completed and information about the command. Because it also attacks shared folders, infection may cause damage to other PCs as well.

  
  [Figure 3 Completion and other information created in the registry]

  
  [Figure 4 Dynamic code that proceeds with the above results]

  
  [Figure 5 Attacked Folder (Other PC)]

Infection results

The information file is created as <# DECRYPT FILES BLUESKY #.txt / # DECRYPT FILES BLUESKY #.html> in each path, and when encryption is performed, <file name.extension. Change the files with bluesky> and change the desktop when complete.

[Figure 6 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 9 Block message]

Watch the BlueSky blocking video