BlueSky Ransomware Artefacts
Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
Sigma rule (View on GitHub)
1title: BlueSky Ransomware Artefacts
2id: eee8311f-a752-44f0-bf2f-6b007db16300
3status: test
4description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
5references:
6 - https://unit42.paloaltonetworks.com/bluesky-ransomware/
7author: j4son
8date: 2023-05-23
9tags:
10 - attack.impact
11 - attack.t1486
12 - detection.emerging-threats
13logsource:
14 product: windows
15 service: security
16detection:
17 selection_access_eid:
18 EventID:
19 - 4663
20 - 4656
21 selection_access_data:
22 - ObjectName|endswith: '.bluesky'
23 - ObjectName|contains: 'DECRYPT FILES BLUESKY'
24 selection_share_eid:
25 EventID: 5145
26 selection_share_data:
27 - RelativeTargetName|endswith: '.bluesky'
28 - RelativeTargetName|contains: 'DECRYPT FILES BLUESKY'
29 condition: all of selection_access_* or all of selection_share_*
30falsepositives:
31 - Unknown
32level: high
References
-
BlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses. Read our technical analysis.
Read More
Related rules
- LockerGoga Ransomware Activity
- Potential Conti Ransomware Activity
- WannaCry Ransomware Activity
- AWS EC2 Disable EBS Encryption
- Microsoft 365 - Potential Ransomware Activity