Researchers found ransomware called ‘Night Sky,’
Researchers from MalwareHunterteam first spotted a new ransomware family dubbed Night Sky that implements a double extortion model in attacks aimed at businesses. Once encrypted a file, the ransomware appends the ‘.nightsky‘ extension to encrypted file names.
The ransomware gang started its operations on December 27, 2021, and has already hacked the corporate networks of two organizations from Bangladesh and Japan respectively. The gang has also set up a leak site on the Tor network where it will publish files stolen to the victims that will not pay the ransom.
Nightsky appeared 1-1-2-2022
First day of the year, and a new ransomware gang just appeared: Night Sky.No sample seen yet.Note: NightSkyReadMe.htaExtension: .nightskyAlready 2 entries on the leak site.@demonslay335 pic.twitter.com/R8tAteZuc2— MalwareHunterTeam (@malwrhunterteam) January 1, 2022According to BleepingComputer, the group demanded one of its victims, the payment of an initial ransom of $800,000 to recover the encrypted data. The researchers noticed that the Night Sky ransomware doesn’t encrypt .dll or .exe files, it also doesn’t target the following list of files or folders:
Program Files (x86)
The ransomware drops a ransom note named NightSkyReadMe.hta in each folder, the file includes contact emails, and hardcoded credentials to the victim’s negotiation page along with the credentials to log in to the Rocket.Chat to contact the operators.
Experts pointed out that the gang communicates with victims via email and a clear website running an instance of the Rocket.Chat.
Researchers believe that in the next months other organizations will be targeted by the Night Sky ransomware group.
The post Night Sky, a new ransomware operation in the threat landscape appeared first on Security Affairs.