NightSky ransomware (virus) - Free Instructions

NightSky virus Removal Guide

What is NightSky ransomware?

NightSky ransomware authors threaten to release the stolen private files publicly

NightSky ransomwareNightSky ransomware is a malicious program that might result in a full data loss

NightSky ransomware is a type of malware that is designed to extort money by using blackmail thanks to its sophisticated ability to lock all personal files on a Windows computer or its network. While many malware of this type target regular computer users, corporations and businesses have been increasingly targeted by cybercriminals with the hopes of bigger ransom payments. In this case, the virus is mostly directed towards the latter, although it does not mean that home users can't get infected as well.

There could be multiple ways how the machines might get infected by the NightSky virus. As it is typical with any other high-risk malware, it uses deception to be implemented on the targeted machine. Since it mostly targets corporations and businesses, it is likely that the attack vector is that which correlates with the scheme, mainly malicious emails, weakly protected RDP connections, vulnerable software running on the company computers, and similar.

Once installed on the device, malware would perform all the necessary changes to prepare the system for its main goal – data encryption. It uses a combination of AES and RSA encryption[1] algorithms to append each of the non-system files on the affected device with the “.nightsky” extension. Suchlike data is stripped of the regular file icons and becomes unreadable, although it is important to note that it is not corrupted.

In order to restore all the important pictures, documents, databases, and everything else that resides on the infected machine, victims are informed through a NightSkyReadMe.hta ransom note that they need to pay ransom in Bitcoin cryptocurrency for a decryption key. Typically, the exact price is negotiated later, although, when it comes to corporate entities, the demands are usually quite high.

Name NightSky virus
Type Ransomware, data locking malware, cryptovirus
Family It's a new malware strain that first showed up at the end of December 2021. Mainly targets companies
File extension Each of the non-system files is appended with a “.nightsky” extension
Ransom note NightSkyReadMe.hta, which is placed on the desktop and other locations of the infected computer
File Recovery If no backups are available, recovering data is almost impossible. Nonetheless, we suggest you try the alternative methods that could help you in some cases – we list them below
removal Perform a full system scan with SpyHunter 5Combo Cleaner or another reputable security software
System fix Once installed on the system, malware might seriously damage some system files which might result in crashes, errors, and other stability issues. This can mean that Windows reinstallation might be necessary. Alternatively, FortectIntego PC repair can fix any of such damage automatically by replacing system corruption

A closer look at the virus

Ransomware has been on the rise for quite some time now.[2] Thanks to the successful implementation of the WannaCry outbreak back in 2017,[3] it soon became apparent that it can be used as a tool to operate a successful but illegal business. In the past few years, we have seen many new ransomware gangs, some of which were shut down by the authorities, all while Djvu and similar cybercriminal groups continue their operations just as successfully as they did years ago.

In November 2019, a high-profile ransomware gang, Maze, was the first one to implement a new twist to ransomware attacks. Since most companies have secure and working backup systems to their files, the incentive to pay up is rather low. Thus, they started stealing – and later, leaking – confidential data from the affected companies. This made many businesses and organizations rethink how they reacted to the attack, which increased the number of payments.

This trend continues, and NightSky ransomware authors also threaten to release the data publicly – they even provide the ONION link where the alleged information is published by the attackers:



Your company has been hacked by us.
Internal files have been stolen and encrypted by us.
But don't worry, we didn't destroy them, and we won't leak data right away.
If your company is willing to meet our requirements,
we will decrypt the data and destroy the stolen data without data leakage.

This move by criminals is rather smart, as many companies might have information that, once disclosed, could be detrimental to the longevity of the business. Likewise, these leaks usually include personal information of the internal partners, employee details, and much more.

NightSky ransomware virusThe ransom note threatens to release the stolen files to public if the ransom is not paid after seven days

Crooks also explain that the affected companies should not contact a third party that could help with data recovery:

Do not contact third party to restore the file, the file cann't be decrypted without the key. The third party only contact us to buy the key at a lower price to earn the difference

Criminals also provide alleged remote communication details to chat with them, although they only see the “Only visible on the intranet” message instead. They do provide an email, though, which is specific to each of the victims.

Removal and remediation

Many companies and users are not prepared to deal with this type of cyberattack. This is one of the main reasons why they happen in the first place, and even large businesses and corporations have been affected by it. Remediation can be tedious and lengthy, although it needs to be done in order to begin the process of attack recovery. In order to do this correctly, follow the steps below.

Remove network connections

Ransomware that targets companies is often set up in a way so it would communicate with outside servers. This way, cybercriminals can send off commands and even install additional payloads. Thus, it is important to ensure that all the network connections to and from the infected machine are disconnected.

  • Type in Control Panel in Windows search and press Enter
  • Go to Network and InternetNetwork and internet
  • Click Network and Sharing CenterNetwork and internet 2
  • On the left, pick Change adapter settingsNetwork and internet 3
  • Right-click on your connection (for example, Ethernet), and select DisableNetwork and internet 4
  • Confirm with Yes.

Get rid of the malware and its components

The next thing to do is remove NightSky ransomware from the PC. Before you proceed, we recommend making backups of the encrypted data, as it might get corrupted in the process. This step can be skipped if you have working backups that can be used after.

Download, install and update security software, for example, SpyHunter 5Combo Cleaner or Malwarebytes, and perform a full system scan with it. It is important to note that malware might interfere with its removal – this can be bypassed by accessing Safe Mode:

Windows 7 / Vista / XP

  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list.Windows XP/7

Windows 10 / Windows 8

  1. Right-click on the Start button and select Settings.
  2. Scroll down to pick Update & Security.
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find the Advanced Startup section.
  5. Click Restart now.Recovery
  6. Select Troubleshoot.Choose an option
  7. Go to Advanced options.Advanced options
  8. Select Startup Settings.Startup settings
  9. Click Restart.
  10. Press 5 or click 5) Enable Safe Mode with Networking.Press F5 to enable Safe Mode with Networking

Fix damaged system files

After malware infection, Windows is no longer the same, as some system files might get damaged or even destroyed. This can result in system instability – crashes, failure to launch programs, BSODs, and many other issues. If you are suffering from these problems after eliminating the infection, use data recovery software as explained below.

  • Download FortectIntego
  • Click on the ReimageRepair.exe
    Reimage download
  • If User Account Control (UAC) shows up, select Yes
  • Press Install and wait till the program finishes the installation processReimage installation
  • The analysis of your machine will begin immediatelyReimage scan
  • Once complete, check the results – they will be listed in the Summary
  • You can now click on each of the issues and fix them manually
  • If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.Reimage results

By employing this tool, you would not have to worry about future computer issues, as most of them could be fixed quickly by performing a full system scan at any time. Most importantly, you could avoid the tedious process of Windows reinstallation in case things go very wrong due to one reason or another.

Restore files

Every company that values security and integrity at least a bit would make proper file backups. These should be stored on a separate medium, away from the main server and network. This practice is essential, as there could be many things that could go wrong, and data loss, particularly that of clients, can be extremely damaging to any business or company – a destroyed reputation is hard to rebuild.

That being said, cybercriminals might find their way into the data backup storage systems if stored incorrectly. The less frequent automatic backup system might also result in at least some of the data loss that might be valuable. If your backups are safe, you can use them as soon as the virus is eliminated from the network entirely.

Despite popular belief, the affected data would not be reverted to its previous state after malware is eliminated from the system and its affected network. This is because the deciphering process requires a unique key, which is the possession of cybercriminals behind NightSky ransomware.

While restoring data successfully without it is quite unlikely, we recommend trying a third-party recovery tool that might work in some cases or restore at least some of the lost data:

  • Download Data Recovery Pro.
  • Double-click the installer to launch it.
    NightSky ransomware
  • Follow on-screen instructions to install the software.
  • As soon as you press Finish, you can use the app.
  • Select Everything or pick individual folders where you want the files to be recovered from.Select what to recover
  • Press Next.
  • At the bottom, enable Deep scan and pick which Disks you want to be scanned.Select Deep scan
  • Press Scan and wait till it is complete.Scan
  • You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
  • Press Recover to retrieve your files.

Report to authorities

Reporting any incident to the authorities is a legal obligation in many countries that should be followed, regardless of how big or small the affected company is. If you are a home user, you don't have to do this, although these reports could increase the chances of catching the culprits. Here are a few links you might find useful:

Internet Crime Complaint Center IC3

If your country is not listed above, you should contact the local police department or communications center.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions