August 15, 2022

TheCyberThrone

Thinking Security ! Always

Night Sky Ransomware ! It’s Dark

There’s a new ransomware in town called Night Sky, and it was first spotted on the first day of 2022.

Like other ransomware families before it, Night Sky uses the double extortion model in its attacks. First, it demands corporate victims stump up money for a decryption key to get at their files, then it slaps them with the threat of either leaking all the stolen data or selling it to the highest bidder should victims refuse to pay.

Advertisements

Earlier, double extortion was only being used by the Maze ransomware gang. Now, at least 16  ransomware groups have made this a core tactic of their campaigns.

Night Sky is said to have started operating around the last week of December 2021. It’s assumed that a human operator is involved in the reconnaissance, access, and eventual extraction of files from all network endpoints before Night Sky is launched. Its infiltrate corporate networks with the use of social engineering tactics or the use of stolen credentials.

Once launched, this ransomware encrypts the majority of the files on affected computers. It skips files with the extensions, .dll and .exe. It also skips files and folders contained within the following folders:

  • $Recycle.Bin
  • All Users
  • AppData
  • autorun.inf
  • Boot
  • boot.ini
  • bootfont.bin
  • bootmgfw.efi
  • bootmgr
  • bootmgr.efi
  • bootsect.bak
  • desktop.ini
  • Google
  • iconcache.db
  • Internet Explorer
  • Mozilla
  • Mozilla Firefox
  • ntldr
  • ntuser.dat
  • ntuser.dat.log
  • ntuser.ini
  • Opera
  • Opera Software
  • Program Files
  • Program Files (x86)
  • ProgramData
  • thumbs.db
  • Tor Browser
  • Windows
  • Windows.old

Encypted files will have the .nightsky extension, as seen below:

Night Sky also appears to drop a ransom note in every folder, save the ones above, with encrypted files. The note has the file name,  NightSkyReadMe.hta.

Advertisements

It contains information on what was stolen, email contacts, and “hard coded credentials to the victim’s negotiation page.” The latter is used by the victim to log in to a Rocket.Chat URL, which is also provided in the ransom note, to directly reach the ransomware attackers.

%d bloggers like this: