Night Sky Ransomware Uses Double-extortion Tactics


Corporate networks worldwide are being attacked by a new strain of ransomware called Night Sky. The first activities of the Night Sky Ransomware were identified on the 27th December, just a few days before New Year's Eve. Just like the majority of file-lockers to target corporate entities, the Night Sky Ransomware also relies on a double-extortion attack. This means that it first steals the original copies of the victim's files, and then encrypts them. This allows the criminals to use two approaches when extorting the victim for money:

  • They threaten to leak the files online if the victim does not pay.
  • They assure them that the data is impossible to decrypt without purchasing a unique decryptor from the criminals.

Unfortunately, such attacks are incredibly difficult to deal with once they occur. Even if the victims manage to restore their data, it would be impossible to stop Night Sky Ransomware's creators from publishing sensitive files online. Such attacks are usually accompanied by a steep ransom fee, and the Night Sky Ransomware is not an exception – one of the victims was told to fulfill a Bitcoin payment of $800,000.

Night Sky Ransomware's Modus Operandi

When the file-locker infiltrates a machine, it will scan all available storage devices for files matching specific file extensions, and then encrypt them. The creators of the threat have also compiled a list of files and directories that the file-locker will skip – this is a common measure to ensure that the compromised system is still operational after the attack.

The files that the threat locks will have the '.nightsky' extension added to their name. In addition to this, the 'NightSkyReadMe.hta' ransom note will be made available on the desktop. The message advises victim to use a Web-based chat service to get in touch with the attackers. It also refers them to the special website where leaks will be published to. So far, no data has been shared there.

Paying the ransom fee is not advised, because you cannot be sure that Night Sky Ransomware's creators are honest. Even if you complete one payment, they might immediately request a second one.  

January 10, 2022