Night Sky, a new ransomware that targets business networks and steals data from VMware Horizon servers for extortion, has been discovered. Night Sky is the name of the ransomware, which became live on December 27, 2021.
Night Sky: Everything You Need to Know
MalwareHunterTeam first detected the ransomware after publishing the data of two victims.
A Tor data leak site belonging to the organisation shows one victim from Bangladesh and another from Japan.
The attackers sought $800,000 in ransom for the decryptor from one of the victims, threatening to leak the stolen data if the ransom was not paid.
Night Sky began to operate in the last week of December 2021. We don’t know much about it yet, but a human operator is likely to be engaged in the reconnaissance, access, and eventual extraction of files from all network endpoints before Night Sky is launched. It’s also assumed that the Night Sky attackers use tried-and-true ways to access business networks, such as social engineering and the use of stolen credentials.
This ransomware encrypts the bulk of files on infected machines once it is begun. It ignores files with the.dll and.exe extensions. It also ignores files and folders in the following directories:
- $Recycle.Bin
- All Users
- AppData
- autorun.inf
- Boot
- boot.ini
- bootfont.bin
- bootmgfw.efi
- bootmgr
- bootmgr.efi
- bootsect.bak
- desktop.ini
- iconcache.db
- Internet Explorer
- Mozilla
- Mozilla Firefox
- ntldr
- ntuser.dat
- ntuser.dat.log
- ntuser.ini
- Opera
- Opera Software
- Program Files
- Program Files (x86)
- ProgramData
- thumbs.db
- Tor Browser
- Windows
- Windows.old
The .nightsky extension, is used in all the above encrypted files.
Operational aspects
The ransomware encrypts all files except those with the.dll or.exe file extensions while it is active.
The.nightsky extension is appended to encrypted file names by the ransomware. A ransom letter (NightSkyReadMe[.]hta) is dumped in each folder, with additional information on ransom payment.
Email accounts and a Rocket-powered website are used by the malware.
Chat. The ransom message contains the credentials for logging into the Rocket.Chat URL.
A connection to China
The Night Sky ransomware has been used by a China-based threat group known as DEV-0401. They leveraged the Log4Shell vulnerability in their campaign to get access to VMware Horizon systems.
Final thoughts
Ransomware attacks are without a doubt one of the most common and deadly dangers to businesses throughout the world. Several new ransomware families and variants, such as Night Sky, are discovered almost every month. This suggests that thieves are still making money from ransomware.
