NightSky ransomware (virus) - Free Instructions

What is NightSky ransomware?

NightSky ransomware authors threaten to release the stolen private files publicly

NightSky ransomware is a malicious program that might result in a full data loss

NightSky ransomware is a type of malware that is designed to extort money by using blackmail thanks to its sophisticated ability to lock all personal files on a Windows computer or its network. While many malware of this type target regular computer users, corporations and businesses have been increasingly targeted by cybercriminals with the hopes of bigger ransom payments. In this case, the virus is mostly directed towards the latter, although it does not mean that home users can't get infected as well.

There could be multiple ways how the machines might get infected by the NightSky virus. As it is typical with any other high-risk malware, it uses deception to be implemented on the targeted machine. Since it mostly targets corporations and businesses, it is likely that the attack vector is that which correlates with the scheme, mainly malicious emails, weakly protected RDP connections, vulnerable software running on the company computers, and similar.

Once installed on the device, malware would perform all the necessary changes to prepare the system for its main goal – data encryption. It uses a combination of AES and RSA encryption^[1] algorithms to append each of the non-system files on the affected device with the “.nightsky” extension. Suchlike data is stripped of the regular file icons and becomes unreadable, although it is important to note that it is not corrupted.

In order to restore all the important pictures, documents, databases, and everything else that resides on the infected machine, victims are informed through a NightSkyReadMe.hta ransom note that they need to pay ransom in Bitcoin cryptocurrency for a decryption key. Typically, the exact price is negotiated later, although, when it comes to corporate entities, the demands are usually quite high.

A closer look at the virus

Ransomware has been on the rise for quite some time now.^[2] Thanks to the successful implementation of the WannaCry outbreak back in 2017,^[3] it soon became apparent that it can be used as a tool to operate a successful but illegal business. In the past few years, we have seen many new ransomware gangs, some of which were shut down by the authorities, all while Djvu and similar cybercriminal groups continue their operations just as successfully as they did years ago.

In November 2019, a high-profile ransomware gang, Maze, was the first one to implement a new twist to ransomware attacks. Since most companies have secure and working backup systems to their files, the incentive to pay up is rather low. Thus, they started stealing – and later, leaking – confidential data from the affected companies. This made many businesses and organizations rethink how they reacted to the attack, which increased the number of payments.

This trend continues, and NightSky ransomware authors also threaten to release the data publicly – they even provide the ONION link where the alleged information is published by the attackers:

NIGHT SKY

Warning!

Your company has been hacked by us.
Internal files have been stolen and encrypted by us.
But don't worry, we didn't destroy them, and we won't leak data right away.
If your company is willing to meet our requirements,
we will decrypt the data and destroy the stolen data without data leakage.

This move by criminals is rather smart, as many companies might have information that, once disclosed, could be detrimental to the longevity of the business. Likewise, these leaks usually include personal information of the internal partners, employee details, and much more.

The ransom note threatens to release the stolen files to public if the ransom is not paid after seven days

Crooks also explain that the affected companies should not contact a third party that could help with data recovery:

Do not contact third party to restore the file, the file cann't be decrypted without the key. The third party only contact us to buy the key at a lower price to earn the difference

Criminals also provide alleged remote communication details to chat with them, although they only see the “Only visible on the intranet” message instead. They do provide an email, though, which is specific to each of the victims.

Removal and remediation

Many companies and users are not prepared to deal with this type of cyberattack. This is one of the main reasons why they happen in the first place, and even large businesses and corporations have been affected by it. Remediation can be tedious and lengthy, although it needs to be done in order to begin the process of attack recovery. In order to do this correctly, follow the steps below.

Remove network connections

Ransomware that targets companies is often set up in a way so it would communicate with outside servers. This way, cybercriminals can send off commands and even install additional payloads. Thus, it is important to ensure that all the network connections to and from the infected machine are disconnected.

• Type in Control Panel in Windows search and press Enter
• Go to Network and Internet
• Click Network and Sharing Center
• On the left, pick Change adapter settings
• Right-click on your connection (for example, Ethernet), and select Disable
• Confirm with Yes.

Get rid of the malware and its components

The next thing to do is remove NightSky ransomware from the PC. Before you proceed, we recommend making backups of the encrypted data, as it might get corrupted in the process. This step can be skipped if you have working backups that can be used after.

Download, install and update security software, for example, SpyHunter 5Combo Cleaner or Malwarebytes, and perform a full system scan with it. It is important to note that malware might interfere with its removal – this can be bypassed by accessing Safe Mode:

Windows 7 / Vista / XP

1. Click Start > Shutdown > Restart > OK.
2. When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

1. Right-click on the Start button and select Settings.
   
2. Scroll down to pick Update & Security.
3. On the left side of the window, pick Recovery.
4. Now scroll down to find the Advanced Startup section.
5. Click Restart now.
6. Select Troubleshoot.
7. Go to Advanced options.
8. Select Startup Settings.
9. Click Restart.
10. Press 5 or click 5) Enable Safe Mode with Networking.

Fix damaged system files

After malware infection, Windows is no longer the same, as some system files might get damaged or even destroyed. This can result in system instability – crashes, failure to launch programs, BSODs, and many other issues. If you are suffering from these problems after eliminating the infection, use data recovery software as explained below.

• Download FortectIntego
• Click on the ReimageRepair.exe
  
  
• If User Account Control (UAC) shows up, select Yes
• Press Install and wait till the program finishes the installation process
• The analysis of your machine will begin immediately
• Once complete, check the results – they will be listed in the Summary
• You can now click on each of the issues and fix them manually
• If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.

By employing this tool, you would not have to worry about future computer issues, as most of them could be fixed quickly by performing a full system scan at any time. Most importantly, you could avoid the tedious process of Windows reinstallation in case things go very wrong due to one reason or another.

Restore files

Every company that values security and integrity at least a bit would make proper file backups. These should be stored on a separate medium, away from the main server and network. This practice is essential, as there could be many things that could go wrong, and data loss, particularly that of clients, can be extremely damaging to any business or company – a destroyed reputation is hard to rebuild.

That being said, cybercriminals might find their way into the data backup storage systems if stored incorrectly. The less frequent automatic backup system might also result in at least some of the data loss that might be valuable. If your backups are safe, you can use them as soon as the virus is eliminated from the network entirely.

Despite popular belief, the affected data would not be reverted to its previous state after malware is eliminated from the system and its affected network. This is because the deciphering process requires a unique key, which is the possession of cybercriminals behind NightSky ransomware.

While restoring data successfully without it is quite unlikely, we recommend trying a third-party recovery tool that might work in some cases or restore at least some of the lost data:

• Download Data Recovery Pro.
• Double-click the installer to launch it.
  
• Follow on-screen instructions to install the software.
• As soon as you press Finish, you can use the app.
• Select Everything or pick individual folders where you want the files to be recovered from.
• Press Next.
• At the bottom, enable Deep scan and pick which Disks you want to be scanned.
• Press Scan and wait till it is complete.
• You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
• Press Recover to retrieve your files.

Report to authorities

Reporting any incident to the authorities is a legal obligation in many countries that should be followed, regardless of how big or small the affected company is. If you are a home user, you don't have to do this, although these reports could increase the chances of catching the culprits. Here are a few links you might find useful:

• USA – Internet Crime Complaint Center IC3
• United Kingdom – ActionFraud
• Canada – Canadian Anti-Fraud Centre
• Australia – ScamWatch
• New Zealand – ConsumerProtection
• Germany – Polizei
• France – Ministère de l'Intérieur

If your country is not listed above, you should contact the local police department or communications center.