Ransomware - NightSky

NightSky
Aliases
Night Sky
Decryptor Available
No
Description

NightSky is yet another ransomware derivative of the Chinese-affiliated threat actor group called BRONZE STARLIGHT, also known as DEV-0401, Cinnamon Tempest, Emperor Dragonfly, and SLIME34. Chronologically, it is the fourth ransomware used by the group, after LockFile, AtomSilo, and Rook. LockFile and AtomSilo were somewhat proprietary ransomware strains as they haven't been directly attributed to another well-known ransomware. Rook, on the other hand, was built using the leaked Babuk encryptor. As such, Rook is a direct descendant of Babuk, with a BRONZE STARLIGHT twist. NightSky is a derivative of Rook, and thus, Babuk, too. Additionally, NightSky behaves similarly to Babuk/Rook. Researchers have called NightSky Rook packed with VMProtect. In other words, NightSky is a slightly tweaked version of Rook.

Of all the ransomware variants utilized by BRONZE STARLIGHT, NightSky was the shortest-lived one, only active for around a month, from late December 2021 to late January 2022. During this time, they posted two victims on their dark web data leak site, but based on the samples collected, there were likely more than two. Based on public research and news reporting, BRONZE STARLIGHT is known to use ransomware as a smokescreen for intellectual property theft, with Japan being one of the target countries. However, it's almost certain that the group accepts financial theft, too. For example, it has been reported that the group demanded an $800,000 ransom from one of their victims. We're not sure which organization that was from, though.

Ransomware Type
Crypto-Ransomware
Data Broker
Country of Origin
China
First Seen
Last Seen
Lineage
Threat Actors
Tipo
Actor
APT
BRONZE STARLIGHT
Extortion Types
Direct Extortion
Double Extortion
Extortion Price Increases
Free Data Leaks
Extortion Amounts
Amount
$800,000
Communication
Médio
Identificador
Email
Web Chat
Encryption
Type
Hybrid
Files
AES-128-CBC
Key
RSA-2048
File Extension
<filename>.<file extension>.nightsky
Ransom Note Name
NightSkyReadMe.hta
1379119b117c11ae810fe679563116c31f8ac565c309849de383baf58df89e90
18daff9fb95725122acc0757130f6a67c46d050cb43b1999fe85b0337f76db0f
1d2ef7038fd6e0f78f25fd9704f63370729460ad2d6f9f345ade3335aa6d6e6e
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577
3654111d9568ef65601b9f1c6ce73b4bbc3fd8a92ef903b7610539620c953e46
623b69c1fd45686af03cd87f77d6e3e17b263e1cf70a25465ce826f81730f898
642d665440104714e29b78e2b19b97996a6693a24f06452865da011564c0cb85
6ecad2171819ca386ffe61ff9eb31e99471fa4f315762c7da658165d7e09a55d
8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0
a077a55608ced7cea2bd92e2ce7e43bf51076304990ec7bb40c2b384ce2e5283
cebc906d77b8dcd0ad184529becf9e7d1d44309328b819e220068ad64755703f
Known Victims
Industry Sector País Extortion Date Amount (USD)
AgricultureBangladesh
Information TechnologyJapan