Chris Swagler | January 12th, 2022

Night Sky Ransomware

As we kick off 2022, new ransomware called Night Sky appears to be targeting corporate networks and utilizing double-extortion tactics to steal data. A malware hunting team first discovered the ransomware operations on December 27th and published the data from two victims. One victim had their enterprise networks locked and received an initial $800,000 ransom demand to obtain a decryptor and not have their stolen data published.

According to BleepingComputer, a Night Sky ransomware sample is customized to contain a personalized ransom note and hardcoded login information to access the victim’s negotiation page. When the ransomware is launched, it will encrypt all files except those that end with the “.dll” or “.exe” extensions and will not encrypt files or folders from the following: Night Sky Extensions Night Sky ExtensionsNight Sky ExtensionsNight Sky will append the “.nightsky” extension when the ransomware is encrypting files. Each folder will contain a ransom note named NightSkyReadMe.hta, information related to what was stolen, contact emails, and hard-coded credentials to the victim’s negotiation page. Night Sky uses email addresses and a clear web website running Rocket.Chat with login credentials and the URL included in the ransom note instead of communicating with victims using a Tor site.

Night Sky has recently exploited the critical CVE-2021-44228 vulnerability in the Log4j logging library, or Log4Shell, gaining access to VMware Horizon systems. Using this exploit, threat actors, including Night Sky, are targeting vulnerable machines exposed on the public web from domains impersonating legitimate companies from technology and cybersecurity sectors. Microsoft issued a warning about a China-based actor exploiting the Log4Shell vulnerability on VMware Horizon systems exposed on the internet to implement the Night Sky ransomware. VMware Horizon is used in the cloud for desktop and app virtualization, allowing users remote access through a dedicated client or web browser.

Ransomware operators implement a common tactic to steal victims’ unencrypted data before encrypting devices on the network. Threat actors utilize double-extortion, threatening to leak the stolen data if the ransom demand is not paid. Night Sky created a Tor data leak site to leak victims’ data and currently contains two victims, one from Bangladesh and one from Japan.

Even though the new Night Sky ransomware operation hasn’t shown a lot of activity, they’re a ransomware group to watch out for as we begin a new year. It’s important for companies to remain alert and always update their network’s security infrastructure as new ransomware groups enter the threat landscape. At SpearTip, our certified engineers continuously monitor partner networks for potential new threats like Night Sky at our 24/7/365 Security Operations Centers. Our ShadowSpear Platform, our endpoint detection and response toolkit, is an unparalleled resource that optimizes visibility and prevents ransomware threats from exploiting vulnerabilities in users’ network security posture. ShadowSpear’s team has the technical capability and technology to defend you.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.