Night Sky is the latest ransomware targeting corporate networks (BleepingComputer)


Level 44
Thread author
Top poster
Content Creator
Malware Hunter
Dec 27, 2014
It's a new year, and with it comes a new ransomware to keep an eye on called 'Night Sky' that targets corporate networks and steals data in double-extortion attacks.

According to MalwareHunterteam, who first spotted the new ransomware, the Night Sky operation started on December 27th and has since published the data of two victims.

One of the victims has received an initial ransom demand of $800,000 to obtain a decryptor and for stolen data not to be published.


A sample of the Night Sky ransomware seen by BleepingComputer is customized to contain a personalized ransom note and hardcoded login credentials to access the victim's negotiation page.

In each folder a ransom note named NightSkyReadMe.hta contains information related to what was stolen, contact emails, and hard coded credentials to the victim's negotiation page.
[...]Night Sky will append the .nightsky extension to encrypted file names[...]


Instead of using a Tor site to communicate with victims, Night Sky uses email addresses and a clear web website running Rocket.Chat. The credentials are used to log in to the Rocket.Chat URL provided in the ransom note.


A common tactic used by ransomware operations is to steal unencrypted data from victims before encrypting devices on the network.

The threat actors then use this stolen data in a "double-extortion" strategy, where they threaten to leak the data if a ransom is not paid.

To leak victim's data, Night Sky has created a Tor data leak site that currently includes two victims, one from Bangladesh and another from Japan.


While there has not been a lot of activity with the new Night Sky ransomware operation, it is one that we need to keep an eye on as we head into the new year.

Full article with screenshots to be found at the link provided.
Current sample on VT: VirusTotal
Last edited by a moderator: