{
	"id": "55e2e936-4135-40a4-88ee-0759a5a26f12",
	"created_at": "2026-04-06T00:08:48.413395Z",
	"updated_at": "2026-04-10T13:12:25.636393Z",
	"deleted_at": null,
	"sha1_hash": "f87783d2b88ff252411c5ed91021996907b0662c",
	"title": "Night Sky is the latest ransomware targeting corporate networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3995094,
	"plain_text": "Night Sky is the latest ransomware targeting corporate networks\r\nBy Lawrence Abrams\r\nPublished: 2022-01-06 · Archived: 2026-04-05 14:01:52 UTC\r\nIt's a new year, and with it comes a new ransomware to keep an eye on called 'Night Sky' that targets corporate networks and\r\nsteals data in double-extortion attacks.\r\nAccording to MalwareHunterTeam, who first spotted the new ransomware, the Night Sky operation started on December\r\n27th and has since published the data of two victims.\r\nOne of the victims has received an initial ransom demand of $800,000 to obtain a decryptor and for stolen data not to be\r\npublished.\r\nhttps://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nHow the Night Sky encrypts devices\r\nA sample of the Night Sky ransomware seen by BleepingComputer is customized to contain a personalized ransom note and\r\nhardcoded login credentials to access the victim's negotiation page.\r\nWhen launched, the ransomware will encrypt all files except those ending with the .dll or .exe file extensions. The\r\nransomware will also not encrypt files or folders in the list below:\r\nAppData\r\nBoot\r\nWindows\r\nWindows.old\r\nTor Browser\r\nInternet Explorer\r\nGoogle\r\nOpera\r\nOpera Software\r\nMozilla\r\nMozilla Firefox\r\n$Recycle.Bin\r\nProgramData\r\nAll Users\r\nautorun.inf\r\nboot.ini\r\nbootfont.bin\r\nbootsect.bak\r\nbootmgr\r\nbootmgr.efi\r\nbootmgfw.efi\r\ndesktop.ini\r\niconcache.db\r\nntldr\r\nntuser.dat\r\nntuser.dat.log\r\nntuser.ini\r\nthumbs.db\r\nProgram Files\r\nProgram Files (x86)\r\n#recycle\r\nWhen encrypting files, Night Sky will append the .nightsky extension to encrypted file names, as shown in the image\r\nbelow.\r\nhttps://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/\r\nPage 3 of 7\n\nNight Sky encrypted files\r\nSource: BleepingComputer\r\nIn each folder a ransom note named NightSkyReadMe.hta contains information related to what was stolen, contact emails,\r\nand hard coded credentials to the victim's negotiation page.\r\nNight Sky ransom note\r\nSource: BleepingComputer\r\nInstead of using a Tor site to communicate with victims, Night Sky uses email addresses and a clear web website running\r\nRocket.Chat. The credentials are used to log in to the Rocket.Chat URL provided in the ransom note.\r\nhttps://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/\r\nPage 4 of 7\n\nNight Sky Rocket.Chat negotiation site\r\nSource: BleepingComputer\r\nDouble-extortion tactic\r\nA common tactic used by ransomware operations is to steal unencrypted data from victims before encrypting devices on the\r\nnetwork.\r\nThe threat actors then use this stolen data in a \"double-extortion\" strategy, where they threaten to leak the data if a ransom is\r\nnot paid.\r\nTo leak victim's data, Night Sky has created a Tor data leak site that currently includes two victims, one from Bangladesh\r\nand another from Japan.\r\nhttps://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/\r\nPage 5 of 7\n\nNight Sky data leak site\r\nSource: BleepingComputer\r\nWhile there has not been a lot of activity with the new Night Sky ransomware operation, it is one that we need to keep an\r\neye on as we head into the new year.\r\nhttps://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/\r\nhttps://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/"
	],
	"report_names": [
		"night-sky-is-the-latest-ransomware-targeting-corporate-networks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434128,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f87783d2b88ff252411c5ed91021996907b0662c.pdf",
		"text": "https://archive.orkl.eu/f87783d2b88ff252411c5ed91021996907b0662c.txt",
		"img": "https://archive.orkl.eu/f87783d2b88ff252411c5ed91021996907b0662c.jpg"
	}
}