This was first spotted by Malware Hunter Team. It is targeting the corporate networks and is stealing data for extortion from VMware Horizon servers.
Night Sky started operating from the last week of December 2021. This will access and eventually extract files from all network endpoints before the ransomware is launched. The attackers will infiltrate corporate networks by using tried-and tested methods, like social engineering tactics or the use of stolen credentials.
Bleeping Computer has seen a sample of this ransomware and it was customized to contain a personalized ransom note and hardcoded login credentials to access the victim’s negotiation page.
The encrypted files will have the extension.nightsky added by the Night Sky. Each folder will contain a ransom note named NightSkyReadMe.hta, which has information related to what was stolen, a contact email, and hard-coded credentials to the victim’s negotiation page. Night Sky uses email addresses and the Clear Web website to run Rocket.Chat instead of using the Tor site to communicate with victims. The stolen credentials will be used to log in to the Rocket.Chat URL listed in the ransom note.