Night Sky is a fairly new ransomware strain that organizations must keep an eye out for.

There’s a new ransomware in town—isn’t there always?—and it’s, unsurprisingly, after corporation-sized businesses.

It’s called Night Sky, and it was first spotted and revealed by MalwareHunterTeam, a group on Twitter who hunts malware online, on the first day of 2022.

Like other ransomware families before it, Night Sky uses the double extortion model in its attacks. First, it demands corporate victims stump up money for a decryption key to get at their files, then it slaps them with the threat of either leaking all the stolen data or selling it to the highest bidder should victims refuse to pay.

Less than two years ago, double extortion was only being used by the Maze ransomware gang. Now, at least 16 ransomware groups have made this a core tactic of their campaigns.

What you need to know about Night Sky

Night Sky is said to have started operating around the last week of December 2021. We don’t know much about it yet, but it’s assumed that a human operator is involved in the reconnaissance, access, and eventual extraction of files from all network endpoints before Night Sky is launched. It’s also assumed that the Night Sky attackers infiltrate corporate networks with the use of tried-and tested methods, such as social engineering tactics or the use of stolen credentials.

Once launched, this ransomware encrypts the majority of the files on affected computers. It skips files with the extensions, .dll and .exe. It also skips files and folders contained within the following folders:

  • $Recycle.Bin
  • All Users
  • AppData
  • autorun.inf
  • Boot
  • boot.ini
  • bootfont.bin
  • bootmgfw.efi
  • bootmgr
  • bootmgr.efi
  • bootsect.bak
  • desktop.ini
  • Google
  • iconcache.db
  • Internet Explorer
  • Mozilla
  • Mozilla Firefox
  • ntldr
  • ntuser.dat
  • ntuser.dat.log
  • ntuser.ini
  • Opera
  • Opera Software
  • Program Files
  • Program Files (x86)
  • ProgramData
  • thumbs.db
  • Tor Browser
  • Windows
  • Windows.old

Encypted files will have the .nightsky extension, as seen below:

“Internal files have been stolen and encrypted by us.” (Source: BleepingComputer)

Night Sky also appears to drop a ransom note in every folder, save the ones above, with encrypted files. The note has the file name, NightSkyReadMe.hta.

“Your company has been hacked by us.” (Source: Malware Hunter Team)
“If your company is willing to meet our requirements…” (Source: BleepingComputer)

According to BleepingComputer, it contains information on what was stolen, email contacts, and “hard coded credentials to the victim’s negotiation page.” The latter is used by the victim to log in to a Rocket.Chat URL, which is also provided in the ransom note, to directly reach the ransomware attackers.

Malwarebytes detects Night Sky as Ransom.NightSky. We’ll continue to update this post once we receive new information.