# Night Sky is the latest ransomware targeting corporate networks **[bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/](https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) January 6, 2022 05:09 PM 0 It's a new year, and with it comes a new ransomware to keep an eye on called 'Night Sky' that targets corporate networks and steals data in double-extortion attacks. According to MalwareHunterTeam, who [first spotted the new ransomware, the Night Sky](https://twitter.com/malwrhunterteam/status/1477381209147723788) operation started on December 27th and has since published the data of two victims. One of the victims has received an initial ransom demand of $800,000 to obtain a decryptor and for stolen data not to be published. ## How the Night Sky encrypts devices A sample of the Night Sky ransomware seen by BleepingComputer is customized to contain a personalized ransom note and hardcoded login credentials to access the victim's negotiation page. ----- When launched, the ransomware will encrypt all files except those ending with the .dll or .exe file extensions. The ransomware will also not encrypt files or folders in the list below: ``` AppData Boot Windows Windows.old Tor Browser Internet Explorer Google Opera Opera Software Mozilla Mozilla Firefox $Recycle.Bin ProgramData All Users autorun.inf boot.ini bootfont.bin bootsect.bak bootmgr bootmgr.efi bootmgfw.efi desktop.ini iconcache.db ntldr ntuser.dat ntuser.dat.log ntuser.ini thumbs.db Program Files Program Files (x86) #recycle ``` When encrypting files, Night Sky will append the .nightsky extension to encrypted file names, as shown in the image below. ----- **Night Sky encrypted files** _Source: BleepingComputer_ In each folder a ransom note named NightSkyReadMe.htacontains information related to what was stolen, contact emails, and hard coded credentials to the victim's negotiation page. **Night Sky ransom note** ----- _Source: BleepingComputer_ Instead of using a Tor site to communicate with victims, Night Sky uses email addresses and a clear web website running Rocket.Chat. The credentials are used to log in to the Rocket.Chat URL provided in the ransom note. **Night Sky Rocket.Chat negotiation site** _Source: BleepingComputer_ ## Double-extortion tactic A common tactic used by ransomware operations is to steal unencrypted data from victims before encrypting devices on the network. The threat actors then use this stolen data in a "double-extortion" strategy, where they threaten to leak the data if a ransom is not paid. To leak victim's data, Night Sky has created a Tor data leak site that currently includes two victims, one from Bangladesh and another from Japan. ----- **Night Sky** **data leak site** _Source: BleepingComputer_ While there has not been a lot of activity with the new Night Sky ransomware operation, it is one that we need to keep an eye on as we head into the new year. ### Related Articles: [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [Quantum ransomware seen deployed in rapid network attacks](https://www.bleepingcomputer.com/news/security/quantum-ransomware-seen-deployed-in-rapid-network-attacks/) [Snap-on discloses data breach claimed by Conti ransomware gang](https://www.bleepingcomputer.com/news/security/snap-on-discloses-data-breach-claimed-by-conti-ransomware-gang/) [Shutterfly discloses data breach after Conti ransomware attack](https://www.bleepingcomputer.com/news/security/shutterfly-discloses-data-breach-after-conti-ransomware-attack/) ----- [Data Exfiltration](https://www.bleepingcomputer.com/tag/data-exfiltration/) [Double-Extortion](https://www.bleepingcomputer.com/tag/double-extortion/) [Night Sky](https://www.bleepingcomputer.com/tag/night-sky/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/flexbooker-discloses-data-breach-over-37-million-accounts-impacted/) [Next Article](https://www.bleepingcomputer.com/news/security/finalsite-ransomware-attack-shuts-down-thousands-of-school-websites/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----