A new ransomware, dubbed Nigh Sky, is targeting corporate networks and stealing data for extortion from VMware Horizon servers. The ransomware is named Night Sky and commenced operation on December 27, 2021.

The new Night Sky ransomware

The ransomware was first discovered by MalwareHunterTeam when the former published the data of two victims. 
  • The group has a Tor data leak site showing one victim from Bangladesh and another from Japan. 
  • The attackers demanded a ransom of $800,000 from one of the victims for the decryptor and threatened to leak the stolen data if unpaid.

The operational side

While running, the ransomware encrypts all files excluding those ending with .dll or .exe file extensions. 
  • The ransomware adds the .nightsky extension to encrypted file names. In each folder, a ransom note (NightSkyReadMe[.]hta) is dropped that contains further information on ransom payment.
  • The ransomware uses email addresses and a clear web website running Rocket.Chat. The credentials required for logging into Rocket.Chat URL are given inside the ransom note.

A Chinese connection

A China-based threat group known as DEV-0401 has been using the Night Sky ransomware. In their campaign, they abused the Log4Shell vulnerability for gaining access to VMware Horizon systems.

Closing thoughts

No doubt, ransomware attacks are one of the most prevalent and dangerous threats to organizations around the world. Almost every month, multiple new ransomware families and variants such as Night Sky are being spotted. This indicates that ransomware is still a profitable business for cybercriminals.

Cyware Publisher