A new report shed light on the behavior of the Night Sky ransomware and provided a list of IoCs along with mitigation. First discovered in January, it uses the double extortion tactic.

The Night Sky ransomware

A recent report by Vedere Labs provides several details about Night Sky, whose samples were first spotted in January during a short campaign that targeted two victims from Bangladesh and Japan. 
  • It was discovered as executables developed to run on Windows x64. The files were disguised with names such as unknown, wzl6rs0i6[.]dll, and update[.]txt. 
  • Night Sky attackers provide a link to a webchat channel that a victim can join to make a contact with them.
  • Earlier reports pointed out that Night Sky had propagated through the exploitation of Log4Shell vulnerability and connected to a cybercriminal based in China, which is tracked as DEV-0401.

Victims who refuse to pay the ransom are threatened to have their data leaked on a dark web site. However, at present, that website is now offline, which implies that the attacker may have rebranded.

Additional details

Night Sky was found to be a fork of the Rook ransomware family, which emerged from the leaked source code of Babuk. 
  • It was deployed by the same attackers using AtomSilo and LockFile malware.
  • Soon after Night Sky and Rook leak sites went offline in January, a new group Pandora appeared and used malware samples that are still active and detected as Rook.

Conclusion

The trend of rebranding ransomware groups has become frequent among cybercriminals. Thus, network defenders should use threat intelligence with strategic defense against threat actors for better protection. Further, always take backup of important data and keep them at geographically separated locations to reduce the risks.

Cyware Publisher

Publisher

Cyware