Night Sky Ransomware ! It’s Dark

There’s a new ransomware in town called Night Sky, and it was first spotted on the first day of 2022.

Like other ransomware families before it, Night Sky uses the double extortion model in its attacks. First, it demands corporate victims stump up money for a decryption key to get at their files, then it slaps them with the threat of either leaking all the stolen data or selling it to the highest bidder should victims refuse to pay.

Advertisements

Earlier, double extortion was only being used by the Maze ransomware gang. Now, at least 16 ransomware groups have made this a core tactic of their campaigns.

Night Sky is said to have started operating around the last week of December 2021. It’s assumed that a human operator is involved in the reconnaissance, access, and eventual extraction of files from all network endpoints before Night Sky is launched. Its infiltrate corporate networks with the use of social engineering tactics or the use of stolen credentials.

Once launched, this ransomware encrypts the majority of the files on affected computers. It skips files with the extensions, .dll and .exe. It also skips files and folders contained within the following folders:

$Recycle.Bin
All Users
AppData
autorun.inf
Boot
boot.ini
bootfont.bin
bootmgfw.efi
bootmgr
bootmgr.efi
bootsect.bak
desktop.ini
Google
iconcache.db
Internet Explorer
Mozilla
Mozilla Firefox
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
Opera
Opera Software
Program Files
Program Files (x86)
ProgramData
thumbs.db
Tor Browser
Windows
Windows.old

Encypted files will have the .nightsky extension, as seen below:

Night Sky also appears to drop a ransom note in every folder, save the ones above, with encrypted files. The note has the file name, NightSkyReadMe.hta.