From the Labs: YARA Rule for Detecting Blue Locker

ReversingLabs threat analysts are constantly working to respond to new threats and provide our customers with information and tools to defend their systems from attacks. Written by our threat analysts, our high-quality, open source YARA rules help threat hunters, incident responders, security analysts, and other defenders detect malicious behavior in their environment.

In this series, we break down some of the threats behind our YARA detection rules and help your organization to detect them within your environment.

Blue Locker: A Textbook Case of Ransomware

Discovered in early 2022, Blue Locker is a ransomware family that spreads via malicious links and email attachment. Once installed, it encrypts the personal documents and data found on the victim’s computer. The victim is then shown a message from the threat actor informing them that their “computers and servers are encrypted, backups are deleted from your network and copied.” The letter goes on to say that “you cannot decrypt your data,” and urges the victim to email the listed email address in order to gain access to the cybercriminal’s decrypting software. As with other ransomware variants, the attackers provide a (Protonmail) email account through which victims are asked to negotiate a ransom payment. However, no specific ransom amount is specified in the ransom notes.

Blue Locker has been identified circulating in the wild since early 2022. However, little is known about the cybercriminal ties the group has, what country it was created in, or what the threat actor’s motives are - beyond financial gain- for pushing out this ransomware. In this way, Blue Locker is similar to other recent ransomware discoveries such as the Acepy ransomware, but separates Blue Locker from other well-known ransomware families, such as Conti.

Attacker Techniques

Similar to other ransomware types, Blue Locker most often gains access to a victim’s computer using phishing and other social engineering techniques. Victims have typically clicked a link in a phishing email, text message, or social media post or fallen for an Internet scam that resulted in malicious code being placed on their computer.

Typically, the Blue Locker ransomware is installed subsequent to a trojan introduction, in which a victim downloads a trojan remote access tool to their computer, believing it to be another application and a safe download. Blue Locker has also been observed spreading via malicious peer-to-peer networks, and torrent websites.

Once installed, the Blue Locker ransomware encrypts files including documents, photos and music. Successfully encrypted files are marked with the “.blue” file extension, making the file inaccessible to the victim.

For victims, there is no current way to decrypt files once they have been encrypted by Blue Locker other than to use the decryption tool provided by the ransomware group. As with other ransomware families, promises to decrypt files once the ransom is paid are unreliable and victims are advised not to pay ransoms to Blue Locker or other cybercriminal groups.

Detecting Blue Locker

With few choices for recovery, it is crucial to detect Blue Locker infections before the threat actor has a chance to execute the malware.

ReversingLabs’ Blue Locker YARA rule is designed to detect this ransomware within your environment with high fidelity and almost no false-positives.

Download the Blue Locker YARA Rule on GitHub here:

Win32.Ransomware.BlueLocker.yara

To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our Github page.

The Work Doesn’t Stop Here

ReversingLabs’ team of analysts are constantly surveying the threat landscape in an effort to better serve our customers and the greater security community. Contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware or to schedule a demonstration.