Night Sky Ransomware is attacking corporate networks for 800K ransom

The new year comes with a new ransomware variant called Night Sky, targeting corporate networks and stealing information in double-extortion attacks.

The discovery of Night Sky ransomware was first made by MalwareHunterteam on Dec 27th when two victims were affected by the ransomware variant. The ransom demand was $800,000for the decryptor and not publishing the encrypted data.

Modus Operandi of Night Sky Ransomware

Night Sky ransomware comes with a hardcoded credentials to breach the victim’s negotiation page and deliver a customized ransom note. The ransomware will encrypt your data except the .dll and .exe files. Once the files are encrypted the encrypted files will have a extension .nightsky as the shown in the image.

Within folders a ransom note with file name NightSkyReadme.hta is available, and this file will have the details of the data that is stolen including emails, credentials, etc. The ransomware uses email and web site with Rocket to communicate with the victims.

Also, the ransom note comes with credentials which should be used to login with the Rocket.Chat URL.

Night Sky ransomware employs double-extortion

Like any other ransomware operations Night Sky ransomware also encrypts as well as steals the victim’s data for further leverage. The double-extortion strategy is used to threaten victims to make ransom payments, as leakage of data could be more devastating than just encryption.

The leakage of data is done via the data like site in Tor which already has the two victims from the December breach. These two victims were from Japan and Bangladesh. The recent ransomware attack was from AvosLocker Ransomware Operators on December 30th attacking the US police department, and Night Sky ransomware is the first ransomware threat of 2022 that security professionals and enterprises need to keep an eye on.

While there has not been a lot of activity with the new Night Sky ransomware operation, it is one that we need to keep an eye on as we head into the new year.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.

You can reach out to us via Twitter or Facebook, for any advertising requests.