2022: A New Ransomware Group is Starting Strong

Another ransomware group has recently launched into operations in such a way that signals that 2022 is likely to set a new record of ransomware activity. The new group, Night Sky, started advertising its activities on December 27, 2021. Within the short time since, it has already hit two companies from Japan and Bangladesh, encrypting their data using double-extortion attack techniques. Using this method, also known as pay-now-or-get-breached, ransomware groups first exfiltrate information, then encrypt them, and finally, threaten to publish the data unless a ransom is paid.

The Night Sky group maintains a website that runs on the encrypted TOR network, where it announces the companies they attack. A notice on their behalf was published on the site threatening to release all files for free should the companies fail to pay the ransom.

The data of the two companies has not been released yet except for a few samples of the stolen data, including sensitive documents that prove the group’s involvement in the leaks.

One of the more interesting findings our team found is that while other ransomware groups use an internal message box, Night Sky communicates with the victims through private emails and through an open web site called “Rocket Chat” that offers encrypted chat rooms (which at some point suspended their account). As far as we know, this is the first ransomware group that used Rocket Chat to communicate with its victims. This is surprising as the Rocket Chat platform is mostly known to be used by radical Islamic groups.