Ransomware Group Profile: Night Sky

Summary

CloudSEK’s Threat Intelligence Research team analyzed the profile of the Night Sky ransomware group. This group doesn’t have a significant online presence, apart from their exclusive Onion website, where they post their activities and updates.

CloudSEK’s Threat Intelligence Research team analyzed the profile of the Night Sky ransomware group.

Report Type Threat Actor Profiling
Research Subject Threat Actor Handle: Night Sky Ransomware Group
TLP# GREEN
Reference #https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

  • CloudSEK’s Threat Intelligence Research team analyzed the profile of the Night Sky ransomware group.
  • This group doesn’t have a significant online presence, apart from their exclusive Onion website, where they post their activities and updates.
  • So far the group has targeted two Asian companies across industries.
  • CloudSEK’s Threat Intelligence team conducted further research to analyze the group’s operations and Tactics, Techniques, and Procedures (TTPs).  

Night Sky Ransomware Group : Detailed Analysis

Night Sky ransomware group’s onion site
Night Sky ransomware group’s onion site
  • Night Sky is a newly emerged ransomware group that maintains a presence on the dark web. They only have two victims currently, and these companies are based out of Asia. 

 

  • The two victims of the Night Sky ransomware group are:
  1. Tokyo Computer Service (Date posted: 30 December 2021)
Region Japan
Description Tokyo Computer Services, established in 1974, provides development and programming services to businesses across Japan.
Website www.tcs-ipnet.co.jp
Data size 130 GB
Personal desktop file size 12 GB
Contents of the files Personal information of all employeesCorporate confidential informationCustomers Business documentsFinancial and Customer information
  1. AKIJ Group Ltd (Date posted: 28 December 2021)
Region Bangladesh
Description Akij Group, founded by Sheikh Akijuddin, is one of the largest Bangladeshi industrial conglomerates with business interests in textiles, tobacco, food & beverage, cement, ceramics, printing and packaging, pharmaceuticals, consumer products, etc.
Website www.akij.net
Data size of the server 297 GB
ERP System data size 513 GB
Gitlab code base 2.7GB
Mail server data size 47 GB
Cpanel database backup 107GB
Data size of business system 45 GB
Personal desktop file size 62 GB contained in 2,10,000 files from a single year
Contents of the files Employee information such as a resume
  • To substantiate their claims, the ransomware group has also provided samples for each of their victims. The database is currently available only for victims and any interested third-party buyers.
  • The group claims to be giving away all of the information for free. 

Information from Open-Sources

  • The Night Sky ransomware encrypts the following files:
MS Office documents OpenOffice documents
PDF files Text files
Databases Photos
Music Videos
Images Archives
  • The group leaves a ransom note titled ‘NightSkyReadMe.hta’.
  • The communication channel provided by the group is: [victim_name]@nightsky.cyou.
  • The ransomware group appends the .nightsky extension while encrypting sensitive files.  
  • The VirusTotal records from the domain nightsky.cyou are:
Night Sky - DNS Records
Screenshot of VirusTotal records from nightsky.cyou
Screenshot of VirusTotal records from nightsky.cyou

 

  • On their Twitter account, DarkFeed.io revealed the list of active users on Night Sky’s support chatbot, where victims negotiate with the ransomware operators. . 
Support members of the Night Sky ransomware

Table of Contents

Request an easy and customized demo for free