CloudSEK’s Threat Intelligence Research team analyzed the profile of the Night Sky ransomware group. This group doesn’t have a significant online presence, apart from their exclusive Onion website, where they post their activities and updates.
Updated on
April 19, 2023
Published on
January 12, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
CloudSEK’s Threat Intelligence Research team analyzed the profile of the Night Sky ransomware group.
This group doesn’t have a significant online presence, apart from their exclusive Onion website, where they post their activities and updates.
So far the group has targeted two Asian companies across industries.
CloudSEK’s Threat Intelligence team conducted further research to analyze the group’s operations and Tactics, Techniques, and Procedures (TTPs).
Night Sky Ransomware Group : Detailed Analysis
Night Sky ransomware group’s onion site
Night Sky is a newly emerged ransomware group that maintains a presence on the dark web. They only have two victims currently, and these companies are based out of Asia.
The two victims of the Night Sky ransomware group are:
Tokyo Computer Service (Date posted: 30 December 2021)
Region
Japan
Description
Tokyo Computer Services, established in 1974, provides development and programming services to businesses across Japan.
Personal information of all employeesCorporate confidential informationCustomers Business documentsFinancial and Customer information
AKIJ Group Ltd (Date posted: 28 December 2021)
Region
Bangladesh
Description
Akij Group, founded by Sheikh Akijuddin, is one of the largest Bangladeshi industrial conglomerates with business interests in textiles, tobacco, food & beverage, cement, ceramics, printing and packaging, pharmaceuticals, consumer products, etc.
62 GB contained in 2,10,000 files from a single year
Contents of the files
Employee information such as a resume
To substantiate their claims, the ransomware group has also provided samples for each of their victims. The database is currently available only for victims and any interested third-party buyers.
The group claims to be giving away all of the information for free.
Information from Open-Sources
The Night Sky ransomware encrypts the following files:
MS Office documents
OpenOffice documents
PDF files
Text files
Databases
Photos
Music
Videos
Images
Archives
The group leaves a ransom note titled ‘NightSkyReadMe.hta’.
The communication channel provided by the group is: [victim_name]@nightsky.cyou.
The ransomware group appends the .nightsky extension while encrypting sensitive files.
The VirusTotal records from the domain nightsky.cyou are:
Night Sky - DNS RecordsScreenshot of VirusTotal records from nightsky.cyou
On their Twitter account, DarkFeed.io revealed the list of active users on Night Sky’s support chatbot, where victims negotiate with the ransomware operators. .
More information and context about Underground Chatter
On-Demand Research Services
Global Threat Intelligence Feed
Protect and proceed with Actionable Intelligence
The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
