CloudSEK’s Threat Intelligence Research team analyzed the profile of the Night Sky ransomware group.
|Report Type||Threat Actor Profiling|
|Research Subject||Threat Actor Handle: Night Sky Ransomware Group|
- CloudSEK’s Threat Intelligence Research team analyzed the profile of the Night Sky ransomware group.
- This group doesn’t have a significant online presence, apart from their exclusive Onion website, where they post their activities and updates.
- So far the group has targeted two Asian companies across industries.
- CloudSEK’s Threat Intelligence team conducted further research to analyze the group’s operations and Tactics, Techniques, and Procedures (TTPs).
Night Sky Ransomware Group : Detailed Analysis
- Night Sky is a newly emerged ransomware group that maintains a presence on the dark web. They only have two victims currently, and these companies are based out of Asia.
- The two victims of the Night Sky ransomware group are:
- Tokyo Computer Service (Date posted: 30 December 2021)
|Description||Tokyo Computer Services, established in 1974, provides development and programming services to businesses across Japan.|
|Data size||130 GB|
|Personal desktop file size||12 GB|
|Contents of the files||Personal information of all employeesCorporate confidential informationCustomers Business documentsFinancial and Customer information|
- AKIJ Group Ltd (Date posted: 28 December 2021)
|Description||Akij Group, founded by Sheikh Akijuddin, is one of the largest Bangladeshi industrial conglomerates with business interests in textiles, tobacco, food & beverage, cement, ceramics, printing and packaging, pharmaceuticals, consumer products, etc.|
|Data size of the server||297 GB|
|ERP System data size||513 GB|
|Gitlab code base||2.7GB|
|Mail server data size||47 GB|
|Cpanel database backup||107GB|
|Data size of business system||45 GB|
|Personal desktop file size||62 GB contained in 2,10,000 files from a single year|
|Contents of the files||Employee information such as a resume|
- To substantiate their claims, the ransomware group has also provided samples for each of their victims. The database is currently available only for victims and any interested third-party buyers.
- The group claims to be giving away all of the information for free.
Information from Open-Sources
- The Night Sky ransomware encrypts the following files:
|MS Office documents||OpenOffice documents|
|PDF files||Text files|
- The group leaves a ransom note titled ‘NightSkyReadMe.hta’.
- The communication channel provided by the group is: [victim_name]@nightsky.cyou.
- The ransomware group appends the .nightsky extension while encrypting sensitive files.
- The VirusTotal records from the domain nightsky.cyou are:
- On their Twitter account, DarkFeed.io revealed the list of active users on Night Sky’s support chatbot, where victims negotiate with the ransomware operators. .