NightSky virus Removal Guide
What is NightSky ransomware?
NightSky ransomware authors threaten to release the stolen private files publicly
NightSky ransomware is a malicious program that might result in a full data loss
NightSky ransomware is a type of malware that is designed to extort money by using blackmail thanks to its sophisticated ability to lock all personal files on a Windows computer or its network. While many malware of this type target regular computer users, corporations and businesses have been increasingly targeted by cybercriminals with the hopes of bigger ransom payments. In this case, the virus is mostly directed towards the latter, although it does not mean that home users can't get infected as well.
There could be multiple ways how the machines might get infected by the NightSky virus. As it is typical with any other high-risk malware, it uses deception to be implemented on the targeted machine. Since it mostly targets corporations and businesses, it is likely that the attack vector is that which correlates with the scheme, mainly malicious emails, weakly protected RDP connections, vulnerable software running on the company computers, and similar.
Once installed on the device, malware would perform all the necessary changes to prepare the system for its main goal – data encryption. It uses a combination of AES and RSA encryption algorithms to append each of the non-system files on the affected device with the “.nightsky” extension. Suchlike data is stripped of the regular file icons and becomes unreadable, although it is important to note that it is not corrupted.
In order to restore all the important pictures, documents, databases, and everything else that resides on the infected machine, victims are informed through a NightSkyReadMe.hta ransom note that they need to pay ransom in Bitcoin cryptocurrency for a decryption key. Typically, the exact price is negotiated later, although, when it comes to corporate entities, the demands are usually quite high.
|Type||Ransomware, data locking malware, cryptovirus|
|Family||It's a new malware strain that first showed up at the end of December 2021. Mainly targets companies|
|File extension||Each of the non-system files is appended with a “.nightsky” extension|
|Ransom note||NightSkyReadMe.hta, which is placed on the desktop and other locations of the infected computer|
|File Recovery||If no backups are available, recovering data is almost impossible. Nonetheless, we suggest you try the alternative methods that could help you in some cases – we list them below|
|removal||Perform a full system scan with SpyHunter 5Combo Cleaner or another reputable security software|
|System fix||Once installed on the system, malware might seriously damage some system files which might result in crashes, errors, and other stability issues. This can mean that Windows reinstallation might be necessary. Alternatively, FortectIntego PC repair can fix any of such damage automatically by replacing system corruption|
A closer look at the virus
Ransomware has been on the rise for quite some time now. Thanks to the successful implementation of the WannaCry outbreak back in 2017, it soon became apparent that it can be used as a tool to operate a successful but illegal business. In the past few years, we have seen many new ransomware gangs, some of which were shut down by the authorities, all while Djvu and similar cybercriminal groups continue their operations just as successfully as they did years ago.
In November 2019, a high-profile ransomware gang, Maze, was the first one to implement a new twist to ransomware attacks. Since most companies have secure and working backup systems to their files, the incentive to pay up is rather low. Thus, they started stealing – and later, leaking – confidential data from the affected companies. This made many businesses and organizations rethink how they reacted to the attack, which increased the number of payments.
This trend continues, and NightSky ransomware authors also threaten to release the data publicly – they even provide the ONION link where the alleged information is published by the attackers:
Your company has been hacked by us.
Internal files have been stolen and encrypted by us.
But don't worry, we didn't destroy them, and we won't leak data right away.
If your company is willing to meet our requirements,
we will decrypt the data and destroy the stolen data without data leakage.
This move by criminals is rather smart, as many companies might have information that, once disclosed, could be detrimental to the longevity of the business. Likewise, these leaks usually include personal information of the internal partners, employee details, and much more.
The ransom note threatens to release the stolen files to public if the ransom is not paid after seven days
Crooks also explain that the affected companies should not contact a third party that could help with data recovery:
Do not contact third party to restore the file, the file cann't be decrypted without the key. The third party only contact us to buy the key at a lower price to earn the difference
Criminals also provide alleged remote communication details to chat with them, although they only see the “Only visible on the intranet” message instead. They do provide an email, though, which is specific to each of the victims.
Removal and remediation
Many companies and users are not prepared to deal with this type of cyberattack. This is one of the main reasons why they happen in the first place, and even large businesses and corporations have been affected by it. Remediation can be tedious and lengthy, although it needs to be done in order to begin the process of attack recovery. In order to do this correctly, follow the steps below.
Remove network connections
Ransomware that targets companies is often set up in a way so it would communicate with outside servers. This way, cybercriminals can send off commands and even install additional payloads. Thus, it is important to ensure that all the network connections to and from the infected machine are disconnected.
- Type in Control Panel in Windows search and press Enter
- Go to Network and Internet
- Click Network and Sharing Center
- On the left, pick Change adapter settings
- Right-click on your connection (for example, Ethernet), and select Disable
- Confirm with Yes.
Get rid of the malware and its components
The next thing to do is remove NightSky ransomware from the PC. Before you proceed, we recommend making backups of the encrypted data, as it might get corrupted in the process. This step can be skipped if you have working backups that can be used after.
Download, install and update security software, for example, SpyHunter 5Combo Cleaner or Malwarebytes, and perform a full system scan with it. It is important to note that malware might interfere with its removal – this can be bypassed by accessing Safe Mode:
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on the Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find the Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Click Restart.
- Press 5 or click 5) Enable Safe Mode with Networking.
Fix damaged system files
After malware infection, Windows is no longer the same, as some system files might get damaged or even destroyed. This can result in system instability – crashes, failure to launch programs, BSODs, and many other issues. If you are suffering from these problems after eliminating the infection, use data recovery software as explained below.
- Download FortectIntego
- Click on the ReimageRepair.exe
- If User Account Control (UAC) shows up, select Yes
- Press Install and wait till the program finishes the installation process
- The analysis of your machine will begin immediately
- Once complete, check the results – they will be listed in the Summary
- You can now click on each of the issues and fix them manually
- If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.
By employing this tool, you would not have to worry about future computer issues, as most of them could be fixed quickly by performing a full system scan at any time. Most importantly, you could avoid the tedious process of Windows reinstallation in case things go very wrong due to one reason or another.
Every company that values security and integrity at least a bit would make proper file backups. These should be stored on a separate medium, away from the main server and network. This practice is essential, as there could be many things that could go wrong, and data loss, particularly that of clients, can be extremely damaging to any business or company – a destroyed reputation is hard to rebuild.
That being said, cybercriminals might find their way into the data backup storage systems if stored incorrectly. The less frequent automatic backup system might also result in at least some of the data loss that might be valuable. If your backups are safe, you can use them as soon as the virus is eliminated from the network entirely.
Despite popular belief, the affected data would not be reverted to its previous state after malware is eliminated from the system and its affected network. This is because the deciphering process requires a unique key, which is the possession of cybercriminals behind NightSky ransomware.
While restoring data successfully without it is quite unlikely, we recommend trying a third-party recovery tool that might work in some cases or restore at least some of the lost data:
- Download Data Recovery Pro.
- Double-click the installer to launch it.
- Follow on-screen instructions to install the software.
- As soon as you press Finish, you can use the app.
- Select Everything or pick individual folders where you want the files to be recovered from.
- Press Next.
- At the bottom, enable Deep scan and pick which Disks you want to be scanned.
- Press Scan and wait till it is complete.
- You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
- Press Recover to retrieve your files.
Report to authorities
Reporting any incident to the authorities is a legal obligation in many countries that should be followed, regardless of how big or small the affected company is. If you are a home user, you don't have to do this, although these reports could increase the chances of catching the culprits. Here are a few links you might find useful:
- USA – Internet Crime Complaint Center IC3
- United Kingdom – ActionFraud
- Canada – Canadian Anti-Fraud Centre
- Australia – ScamWatch
- New Zealand – ConsumerProtection
- Germany – Polizei
- France – Ministère de l'Intérieur
If your country is not listed above, you should contact the local police department or communications center.
How to prevent from getting ransomware
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.