This lab walkthrough provides an in-depth investigation into a ransomware attack leveraging the BlueSky ransomware family. The exercise is designed to help cybersecurity analysts identify and analyze various stages of a sophisticated attack, from initial compromise to credential dumping, lateral movement, and ransomware deployment. By examining network traffic, analyzing malicious scripts, and conducting forensic artifact inspection, this walkthrough demonstrates how attackers exploit vulnerabilities to infiltrate systems and execute payloads.
The scenario begins with the capture and analysis of network traffic using Wireshark, focusing on HTTP streams that reveal PowerShell scripts used for reconnaissance, credential theft, and remote execution via SMB. It explores how attackers abuse scheduled tasks and registry modifications to establish persistence and evade detection. Analysts are guided through identifying key indicators of compromise, including encoded PowerShell commands, credential dumping scripts, and the exfiltration of sensitive data.
Further investigation into the ransomware deployment phase highlights its propagation through SMB and the use of ransom notes to demand payment from victims. By leveraging tools like VirusTotal, analysts correlate hash values with known malware families, confirming the use of the ransomware. This analysis provides insight into the ransomware’s behavior, file encryption methods, and potential decryption options.
Throughout this walkthrough, cybersecuri