Saturday, April 20, 2024
HomeCyber CrimeNew Night Sky Ransomware Enters Corporate Ransom Attack Scene

New Night Sky Ransomware Enters Corporate Ransom Attack Scene

Night Sky, a new ransomware that targets business networks and steals data from VMware Horizon servers for extortion, has been discovered. Night Sky is the name of the ransomware, which became live on December 27, 2021.

Night Sky: Everything You Need to Know

MalwareHunterTeam first detected the ransomware after publishing the data of two victims.

A Tor data leak site belonging to the organisation shows one victim from Bangladesh and another from Japan.

The attackers sought $800,000 in ransom for the decryptor from one of the victims, threatening to leak the stolen data if the ransom was not paid.

Night Sky began to operate in the last week of December 2021. We don’t know much about it yet, but a human operator is likely to be engaged in the reconnaissance, access, and eventual extraction of files from all network endpoints before Night Sky is launched. It’s also assumed that the Night Sky attackers use tried-and-true ways to access business networks, such as social engineering and the use of stolen credentials.


This ransomware encrypts the bulk of files on infected machines once it is begun. It ignores files with the.dll and.exe extensions. It also ignores files and folders in the following directories:

  • $Recycle.Bin
  • All Users
  • AppData
  • autorun.inf
  • Boot
  • boot.ini
  • bootfont.bin
  • bootmgfw.efi
  • bootmgr
  • bootmgr.efi
  • bootsect.bak
  • desktop.ini
  • Google
  • iconcache.db
  • Internet Explorer
  • Mozilla
  • Mozilla Firefox
  • ntldr
  • ntuser.dat
  • ntuser.dat.log
  • ntuser.ini
  • Opera
  • Opera Software
  • Program Files
  • Program Files (x86)
  • ProgramData
  • thumbs.db
  • Tor Browser
  • Windows
  • Windows.old

The .nightsky extension, is used in all the above encrypted files.

Operational aspects

The ransomware encrypts all files except those with the.dll or.exe file extensions while it is active.

The.nightsky extension is appended to encrypted file names by the ransomware. A ransom letter (NightSkyReadMe[.]hta) is dumped in each folder, with additional information on ransom payment.

Email accounts and a Rocket-powered website are used by the malware.

Chat. The ransom message contains the credentials for logging into the Rocket.Chat URL.

A connection to China

The Night Sky ransomware has been used by a China-based threat group known as DEV-0401. They leveraged the Log4Shell vulnerability in their campaign to get access to VMware Horizon systems.

Final thoughts

Ransomware attacks are without a doubt one of the most common and deadly dangers to businesses throughout the world. Several new ransomware families and variants, such as Night Sky, are discovered almost every month. This suggests that thieves are still making money from ransomware.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Izzi Казино онлайн казино казино x мобильді нұсқасы on Instagram and Facebook Video Download Made Easy with
Temporada 2022-2023 on CamPhish
2017 Grammy Outfits on Meesho Supplier Panel: Register Now!
React JS Training in Bangalore on Best Online Learning Platforms in India
DigiSec Technologies | Digital Marketing agency in Melbourne on Buy your favourite Mobile on EMI
亚洲A∨精品无码一区二区观看 on Restaurant Scheduling 101 For Better Business Performance

Write For Us