New Ransomware Group ‘Night Sky’ Launched: Japan and Bangladesh Already Affected

As the New Year approaches, it has been discovered that a new ransomware group called “Night Sky” has emerged to target corporate networks and steal data in duplicate.

First day of the year, and a new ransomware gang just appeared: Night Sky.
No sample seen yet.
Note: NightSkyReadMe.hta
Extension: .nightsky
Already 2 entries on the leak site.
😫@demonslay335 pic.twitter.com/R8tAteZuc2
— MalwareHunterTeam (@malwrhunterteam) January 1, 2022

According to MalwareHunterteam, which first discovered this new ransomware, “Night Sky” began its activities on December 27 and has since released data on victims from two companies.

One of the victims has been asked to pay an $800,000 ransom to obtain a decryptor and not release the stolen data.

Table of contents

How “Night Sky” Encrypts Devices
Double extortion tactics

How “Night Sky” Encrypts Devices

The “Night Sky” ransomware sample is customized and contains a personalized ransom note and hard-coded login credentials to access the victim’s negotiation page.

When activated, this ransomware will encrypt all files except those with a file extension ending in .dll or .exe. Also, this ransomware will not encrypt the files and folders in the following list.

AppData
Boot
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
Program Files
Program Files (x86)
recycle

When encrypting a file, Night Sky will add the extension .nightsky to the encrypted file name.

Each folder contains a ransom note named NightSkyReadMe.hta, which contains information related to what was stolen, a contact email, and hard-coded credentials to the victim’s negotiation page.

Night Sky uses email addresses and the Clear Web website running Rocket.Chat instead of using the Tor site to communicate with victims.

The credentials will be used to log in to the Rocket.Chat URL listed in the ransom note.

Double extortion tactics

A common tactic used in ransomware operations is to steal unencrypted data from the victim before encrypting the devices on the network.

They then use this stolen data in a “double extortion” strategy, threatening to leak the data if the ransom is not paid.

In order to leak victim data, Night Sky has created the Tor data leak site, which now appears to include victims from two companies, one in Bangladesh and one in Japan

Although the new Night Sky ransomware is not very active, we need to be aware of it as we enter the New Year.

How “Night Sky” Encrypts Devices

Double extortion tactics

Comments