Who are Night Sky, the new ransomware family on the block?

Researchers from MalwareHunterteam have spotted a new ransomware family called Night Sky that implements a double extortion model in attacks aimed at businesses. 

What happened?

According to the MalwareHunterTeam, a free website that helps victims identify what ransomware may have encrypted their files, the Night Sky operation started on December 27th and has since published the data of two victims, one in Bangladesh and one in Japan. 

One of the victims has received an initial ransom demand of $800,000 to obtain a decryptor and for stolen data not to be published.

How does Night Sky operate?

According to the Bleeping Computer website, the Night Sky ransomware is customised to contain a personalised ransom note and hardcoded login credentials to access the victim's negotiation page.

When launched, the ransomware will encrypt all files except those ending with the .dll or .exe file extensions. When encrypting files, Night Sky will append the .nightsky extension to encrypted file names. In each folder a ransom note named NightSkyReadMe.hta contains information related to what was stolen, contact emails, and hard coded credentials to the victim's negotiation page.

Instead of using a Tor site to communicate with victims, Night Sky uses email addresses and a clear web website running Rocket.Chat. The credentials are used to log in to the Rocket.Chat URL provided in the ransom note.

What else do we know about Night Sky?

While there has not been a lot of activity with the new Night Sky ransomware operation, the MalwareHunterTeam believe it is one that we need to keep an eye on as the year progresses. 

What is the 'double-extortion' strategy?

A common tactic used by ransomware operations is to steal unencrypted data from victims before encrypting devices on the network.

The threat actors then use this stolen data in a 'double-extortion' strategy, where they threaten to leak the data if a ransom is not paid.

According to cybersecurity company Cyberreason, The first group of attackers to use double extortion was the Maze gang. In November 2019, Bleeping Computer received an email from the “Maze Crew” indicating that they had breached a security staffing company. The attackers said in their email that they had downloaded data from their victim’s network and that they would begin releasing that stolen information unless the company agreed to pay the requested ransom demand.

A day before their deadline, the Maze attackers posted in Bleeping Computer’s forums a description of the breach along with a link for a 7-zip archive. That resource contained almost 700 MB of leaked files including contracts, medical records, encryption certificates and other files stolen from the company.

In the months that followed that attack, the Maze gang began welcoming other attackers to publish their own victims’ data using its data leaks architecture. The individuals behind the LockBit Ransomware-as-a-Service (RaaS) platform took up Maze’s operators on their offer and published a data dump for an architectural firm to the “Maze News” site in the beginning of June, as an example. The Ragnar Locker gang joined Maze’s cartel just days after that.

This activity from Maze helped to make double extortion a prevalent technique in the ransomware threat landscape more broadly. For instance, ID Ransomware received 100,001 submissions for ransomware attacks that had targeted organizations and government entities in Q2 2020. Approximately 11% of those attacks, or 11,642 distinct ransomware incidents, involved the theft of victims’ data.

Such activity continued to grow over the rest of the year. In an attack landscape update for H1 2021, researchers revealed that nearly 40% of ransomware families discovered in 2020 along with several of the more established strains had incorporated data exfiltration into their attack chains by the end of the year. They went on to note that 15 different ransomware families were stealing data from their victims and threatening to leak it by the close of 2020.