Discovery Enum
- Everything.exe
NightSpire is an emerging ransomware operation first observed in early 2025, with reporting indicating discovery around February 2025 and operation of a leak site since March 12, 2025.
Profile source: Mallory opens in a new tabNightSpire
NightSpire is an emerging ransomware operation first observed in early 2025, with reporting indicating discovery around February 2025 and operation of a leak site since March 12, 2025. It is described as an initially exfiltration-focused extortion group that evolved into double extortion, stealing data and then encrypting victim systems while threatening publication of stolen information on a Tor-based leak site if payment is not made. Multiple sources describe it as a closed-group operation rather than a public RaaS platform, although some reporting notes conflicting claims about possible RaaS or affiliate involvement. NightSpire has targeted a broad range of sectors and geographies, including healthcare, education, government, financial services, manufacturing, hospitality, IT services, logistics, and industrial organizations, with victims reported across at least 33 countries and the United States cited as the most affected. Public reporting also mentions attacks against hospitals, schools, government offices, financial institutions, and a claimed breach of Hyatt Place Chelsea New York.
Observed tradecraft indicates NightSpire commonly gains initial access via Remote Desktop Protocol, and at least one report states the group has used CVE-2024-55591 in FortiOS/FortiProxy for initial access. Persistence and remote access have been maintained using legitimate remote administration tools rather than custom backdoors, including Chrome Remote Desktop and AnyDesk. In observed intrusions, operators used Everything by voidtools for file discovery, 7-Zip to create password-protected archives, and MEGAsync/MEGA for likely data exfiltration. One Chrome Remote Desktop deployment was associated with the Windows service name "Chrome Remote Desktop Service" and the Google account prince1990905@gmail[.]com. Huntress also observed use of VMware Workstation and WPS Office in a March 2026 intrusion, and a staging directory C:\Users\[REDACTED]\Downloads\ was identified.
The encryptor has been reported as Go-based. NightSpire traverses accessible drives and paths to encrypt files, appends the .nspire extension to encrypted files, and drops ransom notes in affected folders. It has also been reported to encrypt OneDrive files without changing their extensions. Observed ransom note filenames include _nightspire_readme.txt and [nspire_msg].txt. Reported encryptor sample hashes include SHA256 bde50a42efc079edde1a314243ad339db2d42e343fbbcd39117803b0f5960355 (enc.exe, dated 2025-12-02) and ad67031e2ca68764fe1a7d6632c02b02a299d59efb920710011a9a2ccf4399b7 (enc.exe, dated 2026-03-25). Reporting notes variation between late-2025 and March-2026 incidents in tooling, ransom notes, and encryptor hashes, suggesting either malware evolution or affiliate-driven differences in TTPs.
Victimology reporting states NightSpire rapidly expanded in 2025, with one source citing growth from 29 to 82 victims and another noting at least 64 organizations hit between March and June 2025, alongside more than 45 victims logged on its leak blog in a three-month period. Communications have been described as using ProtonMail, OnionMail, and Telegram. Overall, NightSpire is characterized as a fast-growing ransomware threat using broad opportunistic targeting, legitimate administration tools, data theft, and double-extortion pressure.
Ransomware.live
Ransomware.live
https://t.me/night_spire_team@nightspireteam202535cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e78D663FD10BF662930F4C076CBF95FACFCC4ABD8F1A5E328DE75D0B0237A74E1AE1E0C5C37E7Fnight.spire.team@gmail.comnight.spire.team@onionmail.orgnight.spire.team@proton.menightspireteam.receiver@onionmail.orgRansomware.live
Exploited software
MITRE ATT&CK
Reporting
NightSpire, first identified in early 2025, has already shown it is willing to cast a wide net, hitting hospitals, schools, government offices, and financial institutions alike. NightSpire operates through a double extortion model.
Nightspire, a closed-group operation with OneDrive cloud encryption capability, expanded by 183% from 29 victims to 82, sustaining growth across two consecutive quarters.
NightSpire ransomware was reportedly first discovered in February 2025, and was active throughout the year.
"...Hyatt was claimed to have been breached by the NightSpire ransomware operation..."
“NightSpire… leaned towards exfiltration-based extortion, later expanding into double extortion ransomware.”
RansomHub, Arkana, CrazyHunter, and NightSpire established operations using reused codebases and recycled infrastructure.
CVE-2024–55591 is a high severity vulnerability with a CVSS score of 9.8 in the Node.js WebSocket module of FortiOS and FortiProxy. A threat actor can obtain super admin privileges by sending a specially crafted request, and the NightSpire ransomware gang is known to have used it for initial access.
NightSpire employs a double extortion strategy, encrypting data and threatening to leak stolen information unless a ransom is paid... NightSpire is a new ransomware group that emerged in early 2025...
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.