Skip to content
Ransomware group

NightSpire

NightSpire is an emerging ransomware operation first observed in early 2025, with reporting indicating discovery around February 2025 and operation of a leak site since March 12, 2025.

Profile source: Mallory opens in a new tab

NightSpire

Family profile

NightSpire is an emerging ransomware operation first observed in early 2025, with reporting indicating discovery around February 2025 and operation of a leak site since March 12, 2025. It is described as an initially exfiltration-focused extortion group that evolved into double extortion, stealing data and then encrypting victim systems while threatening publication of stolen information on a Tor-based leak site if payment is not made. Multiple sources describe it as a closed-group operation rather than a public RaaS platform, although some reporting notes conflicting claims about possible RaaS or affiliate involvement. NightSpire has targeted a broad range of sectors and geographies, including healthcare, education, government, financial services, manufacturing, hospitality, IT services, logistics, and industrial organizations, with victims reported across at least 33 countries and the United States cited as the most affected. Public reporting also mentions attacks against hospitals, schools, government offices, financial institutions, and a claimed breach of Hyatt Place Chelsea New York.

Observed tradecraft indicates NightSpire commonly gains initial access via Remote Desktop Protocol, and at least one report states the group has used CVE-2024-55591 in FortiOS/FortiProxy for initial access. Persistence and remote access have been maintained using legitimate remote administration tools rather than custom backdoors, including Chrome Remote Desktop and AnyDesk. In observed intrusions, operators used Everything by voidtools for file discovery, 7-Zip to create password-protected archives, and MEGAsync/MEGA for likely data exfiltration. One Chrome Remote Desktop deployment was associated with the Windows service name "Chrome Remote Desktop Service" and the Google account prince1990905@gmail[.]com. Huntress also observed use of VMware Workstation and WPS Office in a March 2026 intrusion, and a staging directory C:\Users\[REDACTED]\Downloads\ was identified.

The encryptor has been reported as Go-based. NightSpire traverses accessible drives and paths to encrypt files, appends the .nspire extension to encrypted files, and drops ransom notes in affected folders. It has also been reported to encrypt OneDrive files without changing their extensions. Observed ransom note filenames include _nightspire_readme.txt and [nspire_msg].txt. Reported encryptor sample hashes include SHA256 bde50a42efc079edde1a314243ad339db2d42e343fbbcd39117803b0f5960355 (enc.exe, dated 2025-12-02) and ad67031e2ca68764fe1a7d6632c02b02a299d59efb920710011a9a2ccf4399b7 (enc.exe, dated 2026-03-25). Reporting notes variation between late-2025 and March-2026 incidents in tooling, ransom notes, and encryptor hashes, suggesting either malware evolution or affiliate-driven differences in TTPs.

Victimology reporting states NightSpire rapidly expanded in 2025, with one source citing growth from 29 to 82 victims and another noting at least 64 organizations hit between March and June 2025, alongside more than 45 victims logged on its leak blog in a three-month period. Communications have been described as using ProtonMail, OnionMail, and Telegram. Overall, NightSpire is characterized as a fast-growing ransomware threat using broad opportunistic targeting, legitimate administration tools, data theft, and double-extortion pressure.

Ransomware.live

Operational record

View group record ↗

Discovery Enum

  • Everything.exe

Exfiltration

  • MEGA
  • WinSCP

Ransomware.live

Published indicators

Full source record ↗

Telegram

2 total
  • https://t.me/night_spire_team
  • @nightspireteam2025

Sha256

2 total
  • 35cefe4bc4a98ad73dda4444c700aac9
  • f749efde8f9de6a643a57a5b605bd4e7

Tox

1 total
  • 8D663FD10BF662930F4C076CBF95FACFCC4ABD8F1A5E328DE75D0B0237A74E1AE1E0C5C37E7F

Email

4 total
  • night.spire.team@gmail.com
  • night.spire.team@onionmail.org
  • night.spire.team@proton.me
  • nightspireteam.receiver@onionmail.org

Ransomware.live

Recent claims

All published claims ↗

Exploited software

Vulnerabilities linked to NightSpire

1 CVEs

MITRE ATT&CK

NightSpire in ATT&CK

39 distinct techniques

Reporting

Research mentioning NightSpire

May 26
Cyber Security News

NightSpire Ransomware Uses RDP Access and Remote Admin Tools for Stealthy Persistence

NightSpire, first identified in early 2025, has already shown it is willing to cast a wide net, hitting hospitals, schools, government offices, and financial institutions alike. NightSpire operates through a double extortion model.

May 11
Checkpoint Research

The State of Ransomware - Q1 2026 - Check Point Research

Nightspire, a closed-group operation with OneDrive cloud encryption capability, expanded by 183% from 29 victims to 82, sustaining growth across two consecutive quarters.

Apr 7
Huntress

Decoding NightSpire: Ransomware IOCs Aren't Set in Stone | Huntress

NightSpire ransomware was reportedly first discovered in February 2025, and was active throughout the year.

Jan 20
Scworld

NightSpire ransomware gang alleges Hyatt breach, leaks data | SC Media

"...Hyatt was claimed to have been breached by the NightSpire ransomware operation..."

Jan 1
Cyble

10 New Ransomware Groups Of 2025 & Threat Trends For 2026

“NightSpire… leaned towards exfiltration-based extortion, later expanding into double extortion ransomware.”

Dec 31
Cyberthrone

New Ransomware Emerged in 2025 – Threat Intel Report

RansomHub, Arkana, CrazyHunter, and NightSpire established operations using reused codebases and recycled infrastructure.

Dec 24
Medium S2wblog

Detailed Analysis of Recent Trends in Known Exploited Vulnerabilities | by S2W | S2W BLOG | Medium

CVE-2024–55591 is a high severity vulnerability with a CVSS score of 9.8 in the Node.js WebSocket module of FortiOS and FortiProxy. A threat actor can obtain super admin privileges by sending a specially crafted request, and the NightSpire ransomware gang is known to have used it for initial access.

Dec 11
Cyfirma News

Weekly Intelligence Report - 12 December 2025 - CYFIRMA

NightSpire employs a double extortion strategy, encrypting data and threatening to leak stolen information unless a ransom is paid... NightSpire is a new ransomware group that emerged in early 2025...

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.