Threat Database Ransomware Night Sky Ransomware

Night Sky Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 4
First Seen: January 7, 2022
Last Seen: April 26, 2023
OS(es) Affected: Windows

Some cybercriminals decided to not take a break around the holidays and instead focus on finding new victims for their ransomware attacks. One such group consists of the hackers behind the newly discovered Night Sky Ransomware threat. This particular malware was first spotted by researchers who believe that the Night Sky operation was launched on December 27, 2021. In just over a week later, the Night Sky threat has managed to infect two corporate victims, one from Japan and one from Bangladesh.

Technical Details

Like most ransomware operations targeting corporate entities, the Night Sky Ransomware cybercriminals also use two different extortion tactics. They lock crucial files stored on the infected computers but not before exfiltrating them to their own server. Afterward, they threaten the victims unwilling to pay the demanded ransom that the collected data will be either sold to competitors or released to the public via a dedicated leak site.

As for the Night Sky Ransomware itself, the threat uses an uncrackable encryption algorithm to lock a vast number of file types. The only ones that will be left intact are those with .dll. and .exe extensions, as tampering with them, could cause the operating system on the device to malfunction or experience critical errors. Mostly for the same reason, the ransomware also will avoid encrypting a list of 30 specifically chosen files and folders approximately. These include AppData, Boot, Windows, ProgramData, boot.ini, ntldr and more. All other files will be encrypted and have '.nightsky' appended to their original names.

Ransom Note's Overview

After completing its encryption process, the Night Sky Ransomware will drop a ransom note file in every folder containing the locked data. These newly-created files will be named 'NightSkyReadMe.hta.' They contain a ransom-demanding message that has been personalized for the specific victim. As such, some details, including the amount of the ransom, could vary. Current evidence shows that one of the two current victims of the Night Sky operations has been asked to pay $800,000 to receive a decryptor tool and avoid having its data released.

The ransom notes also contain hardcoded login credentials for the cybercriminals' negotiation page. Unlike other hacker groups of this type, Night Sky doesn't use a Tor website for communication purposes. Instead, victims are directed towards a normal website that is running Rocket.Chat. However, the leak site of the group that contains the data of their victims is indeed hosted on the Tor network.


Most Viewed