A detailed report regarding the behaviour of the Night Sky ransomware was revealed recently, emphasising its new tactic of executing double extortion to its victims.
The ransomware samples were first found at the beginning of 2022 during a short cyberattack that targeted two victims from Japan and Bangladesh. The researchers found developed executables in the ransomware sample to operate on Windows x64.
Titles such as ‘unknown,’ ‘update[.]txt,’ and ‘wzl6rs0i6[.]dll’ were used by the threat actors as name files to disguise the ransomware. Moreover, the operators have given a link to a webchat channel that a target could access and join to contact them for transactions and negotiations.
In a related case, a separate researcher said that the Night Sky ransomware had propagated through the exploitation of the Log4Shell critical flaw and linked to a threat group located in China. The researchers then identified the cybercriminal group as DEV-0401.
The targeted entities who refuse the ransom requests will be threatened with a data leak on a dark website. However, the website of the threat actors is currently offline, which indicates that the group might have rebranded or been absorbed by another entity.
The Night Sky may be related to the Rook ransomware strain.
The source code leak of Babuk has revealed that the Night Sky may have been a variant of the Rook ransomware family. The analysts claimed that identical threat operators launched it by utilising the LockFile and AtomSilo malware.
In addition, after the Rook and Night Sky’s leak sites became offline last January, a new group called Pandora suddenly appeared and used malware samples from the two strains that are still active and detected.
Ransomware groups rebranding or joining other threats has become a trend among malicious threat actors. Security teams should use threat intelligence with strategic defence against cybercriminals for better protection and solution.
Users should always back up their important data and store it in separate locations to mitigate the impact of a ransomware attack.
