CloudSEK’s Threat Intelligence Research team analyzed the profile of the Night Sky ransomware group.
| Report Type | Threat Actor Profiling |
| Research Subject | Threat Actor Handle: Night Sky Ransomware Group |
| TLP# | GREEN |
| Reference | #https://en.wikipedia.org/wiki/Traffic_Light_Protocol |
Executive Summary
- CloudSEK’s Threat Intelligence Research team analyzed the profile of the Night Sky ransomware group.
- This group doesn’t have a significant online presence, apart from their exclusive Onion website, where they post their activities and updates.
- So far the group has targeted two Asian companies across industries.
- CloudSEK’s Threat Intelligence team conducted further research to analyze the group’s operations and Tactics, Techniques, and Procedures (TTPs).
Night Sky Ransomware Group : Detailed Analysis
- Night Sky is a newly emerged ransomware group that maintains a presence on the dark web. They only have two victims currently, and these companies are based out of Asia.
- The two victims of the Night Sky ransomware group are:
- Tokyo Computer Service (Date posted: 30 December 2021)
| Region | Japan |
| Description | Tokyo Computer Services, established in 1974, provides development and programming services to businesses across Japan. |
| Website | www.tcs-ipnet.co.jp |
| Data size | 130 GB |
| Personal desktop file size | 12 GB |
| Contents of the files | Personal information of all employeesCorporate confidential informationCustomers Business documentsFinancial and Customer information |
- AKIJ Group Ltd (Date posted: 28 December 2021)
| Region | Bangladesh |
| Description | Akij Group, founded by Sheikh Akijuddin, is one of the largest Bangladeshi industrial conglomerates with business interests in textiles, tobacco, food & beverage, cement, ceramics, printing and packaging, pharmaceuticals, consumer products, etc. |
| Website | www.akij.net |
| Data size of the server | 297 GB |
| ERP System data size | 513 GB |
| Gitlab code base | 2.7GB |
| Mail server data size | 47 GB |
| Cpanel database backup | 107GB |
| Data size of business system | 45 GB |
| Personal desktop file size | 62 GB contained in 2,10,000 files from a single year |
| Contents of the files | Employee information such as a resume |
- To substantiate their claims, the ransomware group has also provided samples for each of their victims. The database is currently available only for victims and any interested third-party buyers.
- The group claims to be giving away all of the information for free.
Information from Open-Sources
- The Night Sky ransomware encrypts the following files:
| MS Office documents | OpenOffice documents |
| PDF files | Text files |
| Databases | Photos |
| Music | Videos |
| Images | Archives |
- The group leaves a ransom note titled ‘NightSkyReadMe.hta’.
- The communication channel provided by the group is: [victim_name]@nightsky.cyou.
- The ransomware group appends the .nightsky extension while encrypting sensitive files.
- The VirusTotal records from the domain nightsky.cyou are:
- On their Twitter account, DarkFeed.io revealed the list of active users on Night Sky’s support chatbot, where victims negotiate with the ransomware operators. .
