Night Sky: New Ransomware Targeting Corporate Networks

 

The new year has brought with it new ransomware named 'Night Sky,' which targets corporate networks and steals data in double-extortion attacks. 

The Night Sky operation began on December 27th, according to MalwareHunterTeam, which was the first to identify the new ransomware. The ransomware has since published the data of two victims. 

One of the victims got an initial ransom demand of $800,000 in exchange for a decryptor and the promise that the stolen material would not be made public. 

How Night Sky encrypts devices

A sample of the Night Sky ransomware seen by BleepingComputer has a personalised ransom note and hardcoded login credentials to access the victim's negotiation page. 

When the ransomware is activated, it encrypts all files except those with the.dll or.exe file extensions. The ransomware will not encrypt the following files or folders: 

• AppData

• Boot

• Windows

• Windows.old

• Tor Browser

• Internet Explorer

• Google

• Opera

• Opera Software

• Mozilla

• Mozilla Firefox

• $Recycle.Bin

• ProgramData

• All Users

• autorun.inf

• boot.ini

• bootfont.bin

• bootsect.bak

• bootmgr

• bootmgr.efi

• bootmgfw.efi

• desktop.ini

• iconcache.db

• ntldr

• ntuser.dat

• ntuser.dat.log

• ntuser.ini

• thumbs.db

• Program Files

• Program Files (x86)

• #recycle

Night Sky appends the.nightsky extension to encrypted file names while encrypting them. A ransom letter named NightSkyReadMe.hta is included in each folder, and it provides details about what was stolen, contact emails, and hardcoded passwords to the victim's negotiation page. 

Instead of communicating with victims through a Tor site, Night Sky employs email addresses and a transparent website that runs Rocket.Chat. The credentials are used to access the Rocket.Chat URL specified in the ransom note. 

Double extortion tactic: 

Before encrypting devices on the network, ransomware operations frequently grab unencrypted data from victims. Threat actors then utilize the stolen data in a "double-extortion" scheme, threatening to leak the information unless a ransom is paid. 

Night Sky built a Tor data leak site to leak the data of victims, which now contains two victims, one from Bangladesh and the other from Japan. While there hasn't been much activity with the new Night Sky ransomware operation, one should keep a watch on it as we enter the new year.