NightSky is yet another ransomware derivative of the Chinese-affiliated threat actor group called BRONZE STARLIGHT, also known as DEV-0401, Cinnamon Tempest, Emperor Dragonfly, and SLIME34. Chronologically, it is the fourth ransomware used by the group, after LockFile, AtomSilo, and Rook. LockFile and AtomSilo were somewhat proprietary ransomware strains as they haven't been directly attributed to another well-known ransomware. Rook, on the other hand, was built using the leaked Babuk encryptor. As such, Rook is a direct descendant of Babuk, with a BRONZE STARLIGHT twist. NightSky is a derivative of Rook, and thus, Babuk, too. Additionally, NightSky behaves similarly to Babuk/Rook. Researchers have called NightSky Rook packed with VMProtect. In other words, NightSky is a slightly tweaked version of Rook.
Of all the ransomware variants utilized by BRONZE STARLIGHT, NightSky was the shortest-lived one, only active for around a month, from late December 2021 to late January 2022. During this time, they posted two victims on their dark web data leak site, but based on the samples collected, there were likely more than two. Based on public research and news reporting, BRONZE STARLIGHT is known to use ransomware as a smokescreen for intellectual property theft, with Japan being one of the target countries. However, it's almost certain that the group accepts financial theft, too. For example, it has been reported that the group demanded an $800,000 ransom from one of their victims. We're not sure which organization that was from, though.
Samples (SHA-256)(11)
Industry Sector | Country | Extortion Date | Amount (USD) |
---|---|---|---|
Agriculture | Bangladesh | ||
Information Technology | Japan |