nightspire
Ransomware group profile
245Victims
South KoreaSource country
77Impact score
Description
NightSpire is a financially motivated ransomware group that emerged in early 2025, targeting small to medium-sized enterprises across various sectors. The group employs a double extortion strategy, encrypting data after exfiltration, and has operated a Dark Web leak site to threaten the public release of stolen data since March 2025.
Key insights
- •Utilizes a double extortion model by encrypting stolen data and threatening public release.
- •Gains initial access using exploits like CVE-2024-55591, RDP brute-forcing, and phishing.
- •Features a custom ransomware payload written in Go that appends the '.nspire' extension to encrypted files.
- •Employs living-off-the-land techniques, leveraging legitimate tools for data exfiltration.
- •Targets a wide range of industries with ransom demands ranging from $150,000 to $2 million.
- •Rapidly advanced from operational immaturity to a robust operation with Ransomware-as-a-Service offerings.
Threat Level & Status Breakdown
For nightspire · Based on incidents in selected period
2.4threat level
Aggressiveness5/ 10
Lethality0/ 10
Criticality2.1/ 10
Status Breakdown
Claimed17.1%42
First seenJun 2025
Last seenMay 2026
Avg ransom—
Payment rate—
Statusactive
Sophistication0
Last updatedJun 2, 2026
Recent activity
Monthly attack count for nightspire in the selected period
245Total attacks
62peak in Mar
22.3avg / month
↓ 13 vs first month
Intelligence
IOCs, YARA/Sigma rules, and related families for nightspire
- ad67031e2ca68764fe1a7d6632c02b02a299d59efb920710011a9a2ccf4399b7
- ce56ec0bea8f53b7cc7f938226e96d8668c66611
- c5f526cc62688cf34c49d098dab81e24e4294f832ada57433ef505d5ac6da8f3
- d520d06d78afcad2e03842cb8db4622d18b92739e89dfb8dadf5743f30dcd903
- e75e5778e71e062ce4a7af673f0b2513854d2367fee0f01a26c0c998863bdf6e
- 2e07a4de9e6ba84728fbdf27384ea0b9
- 32e10dc9fe935d7c835530be214142041b6aa25ee32c62648dea124401137ea5
- 94dd3315fca4c31ef61b7865c3b8983f
- eae09889399fe4fb8e78b114dba0527de913d12fb1802944a88ed136e3e90577
- bde50a42efc079edde1a314243ad339db2d42e343fbbcd39117803b0f5960355
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for nightspire
Other
T1486
T1486
T1490
T1490
T1078
T1078
T1046
T1046
T1021
T1021
T1562
T1562
T1059
T1059
T1105
T1105
T1005
T1005
T1071
T1071
T1027
T1027
T1080
T1080
Victims(200)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| basatamfi | — | EG Egypt | Professional Services | Unknown | 9 days ago | |
| la familia adualt day center | lafamiliaadultdaycenter.com | US United States | Healthcare | Unknown | 10 days ago | |
| Si**** West J******* | — | CU Cuba | Technology | Unknown | 10 days ago | |
| Pat**** S.r.l | — | CU Cuba | Manufacturing | Unknown | 10 days ago | |
| Bresme Madrid S.L. | bresme.com | ES Spain | Professional Services | Unknown | 10 days ago | |
| Red-Line | — | US United States | Other | Unknown | 10 days ago | |
| Rawaj Consumer Finance | rawaj-finance.com | EG Egypt | Financial Services | Unknown | 10 days ago | |
| C***r*o T**uc**n* | — | PS Palestine | — | Unknown | 16 days ago | |
| Qua****Pro | — | CU Cuba | Professional Services | Unknown | 10 days ago | |
| m***o*ul | — | PS Palestine | — | Unknown | 16 days ago | |
| Papa John's Egypt | papajohnsegypt.com | EG Egypt | Hospitality | Unknown | 10 days ago | |
| Vantage Energy LLC | vantageenergy.com | US United States | Energy & Utilities | Unknown | 16 days ago | |
| TAKOSAN OTOMOBIL | takosan.com.tr | TR Turkey | Manufacturing | Unknown | 16 days ago | |
| Ueno Fine Chemicals Industry | ueno-fc.co.jp | TH Thailand | Manufacturing | Unknown | 10 days ago | |
| Huse Incorporated | huseinc.com | US United States | Hospitality | Unknown | 16 days ago | |
| P**g**s***e O*al S**g**y & I**la**ol**y | — | NA Namibia | Healthcare | Claimed | about 1 month ago | |
| J**es **l*o | — | NA Namibia | Retail & E-Commerce | Claimed | about 1 month ago | |
| A**** F***** Plas**** | — | NA Namibia | Manufacturing | Unknown | about 1 month ago | |
| Filter to A**** F***** Plas**** | — | NA Namibia | Manufacturing | Unknown | about 1 month ago | |
| Progressive Oral Surgery & Implantology | — | US United States | Healthcare | Unknown | about 1 month ago |
Page 1 of 10
Affected countries(63)
Countries where this group has been reported to target or leak victims.
🇦🇪United Arab Emirates🇦🇷Argentina🇦🇹Austria🇦🇺Australia🇧🇩Bangladesh🇧🇷Brazil🇧🇾Belarus🇨🇦Canada🇨🇭Switzerland🇨🇱Chile🇨🇳China🇨🇴Colombia🇨🇷Costa Rica🇨🇿Czech Republic🇩🇪Germany🇪🇨Ecuador🇪🇬Egypt🇪🇸Spain🇫🇷France🇬🇧United Kingdom🇬🇪Georgia🇬🇷Greece🇭🇰Hong Kong🇭🇷Croatia🇭🇺Hungary🇮🇩Indonesia🇮🇱Israel🇮🇳India🇮🇹Italy🇯🇴Jordan🇯🇵JapanKorea, Republic of🇰🇿Kazakhstan🇱🇹Lithuania🇱🇺Luxembourg🇲🇦Morocco🇲🇽Mexico🇲🇾Malaysia🇳🇬Nigeria🇳🇮Nicaragua🇳🇱Netherlands🇳🇴Norway🇵🇦Panama🇵🇪Peru🇵🇭Philippines🇵🇰Pakistan🇵🇱Poland🇵🇹Portugal🇵🇾ParaguayRussian Federation🇸🇦Saudi Arabia🇸🇪Sweden🇸🇬Singapore🇹🇭Thailand🇹🇳Tunisia🇹🇷TurkeyTaiwan, Province of ChinaTanzania, United Republic of🇺🇦Ukraine🇺🇸United StatesVenezuela, Bolivarian Republic of🇻🇳Vietnam🇿🇦South Africa