Night Sky, a new ransomware operation in the threat landscape

Researchers warn of a new ransomware family, called ‘Night Sky,’ that uses a double-extortion model in attacks again businesses.

Researchers from MalwareHunterteam first spotted a new ransomware family dubbed Night Sky that implements a double extortion model in attacks aimed at businesses. Once encrypted a file, the ransomware appends the ‘.nightsky‘ extension to encrypted file names.

The ransomware gang started its operations on December 27, 2021, and has already hacked the corporate networks of two organizations from Bangladesh and Japan respectively. The gang has also set up a leak site on the Tor network where it will publish files stolen to the victims that will not pay the ransom.

According to BleepingComputer, the group demanded one of its victims, the payment of an initial ransom of $800,000 to recover the encrypted data. The researchers noticed that the Night Sky ransomware doesn’t encrypt .dll or .exe files, it also doesn’t target the following list of files or folders:

AppData Boot Windows Windows.old Tor Browser Internet Explorer Google Opera Opera Software Mozilla Mozilla Firefox $Recycle.Bin ProgramData All Users autorun.inf boot.ini bootfont.bin bootsect.bak bootmgr bootmgr.efi bootmgfw.efi desktop.ini iconcache.db ntldr ntuser.dat ntuser.dat.log ntuser.ini thumbs.db Program Files Program Files (x86) #recycle

The ransomware drops a ransom note named NightSkyReadMe.hta in each folder, the file includes contact emails, and hardcoded credentials to the victim’s negotiation page along with the credentials to log in to the Rocket.Chat to contact the operators.

Experts pointed out that the gang communicates with victims via email and a clear website running an instance of the Rocket.Chat.

Researchers believe that in the next months other organizations will be targeted by the Night Sky ransomware group.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)