nightspire
Ransomware group profile
239Victims
South KoreaSource country
81Impact score
Description
NightSpire is a financially motivated ransomware group that emerged in early 2025, targeting small to medium-sized enterprises across various sectors. The group employs a double extortion strategy, encrypting data after exfiltration, and has operated a Dark Web leak site to threaten the public release of stolen data since March 2025.
Key insights
- •Utilizes a double extortion model by encrypting stolen data and threatening public release.
- •Gains initial access using exploits like CVE-2024-55591, RDP brute-forcing, and phishing.
- •Features a custom ransomware payload written in Go that appends the '.nspire' extension to encrypted files.
- •Employs living-off-the-land techniques, leveraging legitimate tools for data exfiltration.
- •Targets a wide range of industries with ransom demands ranging from $150,000 to $2 million.
- •Rapidly advanced from operational immaturity to a robust operation with Ransomware-as-a-Service offerings.
Threat Level & Status Breakdown
For nightspire · Based on incidents in selected period
3.5threat level
Aggressiveness8/ 10
Lethality0/ 10
Criticality2.2/ 10
Status Breakdown
Claimed17.6%42
First seenJun 2025
Last seenJun 2026
Avg ransom—
Payment rate—
Statusactive
Sophistication0
Last updatedJun 23, 2026
Recent activity
Monthly attack count for nightspire in the selected period
239Total attacks
62peak in Mar
19.9avg / month
↑ 10 vs first month
Intelligence
IOCs, YARA/Sigma rules, and related families for nightspire
- ad67031e2ca68764fe1a7d6632c02b02a299d59efb920710011a9a2ccf4399b7
- ce56ec0bea8f53b7cc7f938226e96d8668c66611
- c5f526cc62688cf34c49d098dab81e24e4294f832ada57433ef505d5ac6da8f3
- 2e07a4de9e6ba84728fbdf27384ea0b9
- 32e10dc9fe935d7c835530be214142041b6aa25ee32c62648dea124401137ea5
- 94dd3315fca4c31ef61b7865c3b8983f
- bde50a42efc079edde1a314243ad339db2d42e343fbbcd39117803b0f5960355
- 94f73b5dc06ba6705fcef3e759413a747049c2949a0c2e44afc03b2f9989cf73
- 7ffb8a403a298e5b0d5f8bf3c6d119e6
- 0e31379dcb838b619ec1b44dda3fc4cc20596764
- c3804d1329b55a37bfa2f835e1e9bbc7bdb2b260f8e3627c06e02c9f52685d44
- 20cb8d8216061545b0b31ec8bd5f42de
- e275b8a02bf23b565bdaabadb220b39409eddc6b8253eb04e0f092d697e3b53d
- 69f5515ff3f554233840ad2f2397b345f955013017a9ae14ed4e762f52d936af
- f5da096e2ae6079c4670ddd6566244618056a22e
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for nightspire
Other
T1486
T1486
T1490
T1490
T1078
T1078
T1046
T1046
T1021
T1021
T1562
T1562
T1059
T1059
T1105
T1105
T1005
T1005
T1071
T1071
T1027
T1027
T1080
T1080
Victims(200)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| Artistic Smiles | artisticsmiles.org | US United States | Retail & E-Commerce | Unknown | 4 days ago | |
| legendsmn(Blue Ox, Paul Bunyan, Lumberjack Electric) | legendsmn.com | US United States | Energy & Utilities | Unknown | 7 days ago | |
| Central Texas ***** ***** | — | — | Other | Unknown | 9 days ago | |
| Ri***** Co**** Europe S.r.l. | — | — | — | Unknown | 9 days ago | |
| G**** R****l*e | — | — | — | Unknown | 10 days ago | |
| A*** G*** A*S* | — | NL Netherlands | — | Unknown | 17 days ago | |
| ASIA STRATEGIC | asia-strategic.com | SG Singapore | Professional Services | Unknown | 17 days ago | |
| B****S I******t***l | — | — | Professional Services | Unknown | 10 days ago | |
| Unique Litho, Inc | uniquelitho.com | US United States | Manufacturing | Unknown | 17 days ago | |
| Sheraton Miramar Resort El Gouna | elgouna.com | EG Egypt | Hospitality | Unknown | 10 days ago | |
| Guy E******* & F*******, P.A | — | — | Financial Services | Unknown | 9 days ago | |
| dean cosmetic dentistry | deancosmeticdentistry.com | US United States | Healthcare | Unknown | 7 days ago | |
| K****** County. Mi**e**ta | — | US United States | Government & Defense | Unknown | 11 days ago | |
| GRIP Outreach For Youth | gripyouth.com | US United States | Education | Unknown | 17 days ago | |
| Silsbee Police Department | silsbeeisd.org | US United States | Government & Defense | Unknown | 11 days ago | |
| Blue Nile Medical Center | bluenilemedical.com | US United States | Healthcare | Unknown | 11 days ago | |
| basatamfi | binvestmentsegypt.com | EG Egypt | Professional Services | Unknown | about 1 month ago | |
| Si**** West J******* | — | CU Cuba | Technology | Unknown | about 1 month ago | |
| la familia adualt day center | lafamiliaadultdaycenter.com | US United States | Healthcare | Unknown | about 1 month ago | |
| Sierra West Jewelers | sierra-west.com | US United States | Retail & E-Commerce | Unknown | 13 days ago |
Page 1 of 10
Affected countries(69)
Countries where this group has been reported to target or leak victims.
🇦🇪United Arab Emirates🇦🇷Argentina🇦🇹Austria🇦🇺Australia🇧🇩Bangladesh🇧🇪Belgium🇧🇷Brazil🇧🇾Belarus🇨🇦Canada🇨🇭Switzerland🇨🇱Chile🇨🇳China🇨🇴Colombia🇨🇷Costa Rica🇨🇿Czech Republic🇩🇪Germany🇪🇨Ecuador🇪🇬Egypt🇪🇸Spain🇫🇷France🇬🇧United Kingdom🇬🇪Georgia🇬🇷Greece🇭🇰Hong Kong🇭🇷Croatia🇭🇺Hungary🇮🇩Indonesia🇮🇱Israel🇮🇳India🇮🇶Iraq🇮🇹Italy🇯🇴Jordan🇯🇵JapanKorea, Republic of🇰🇼Kuwait🇰🇿Kazakhstan🇱🇹Lithuania🇱🇺Luxembourg🇲🇦Morocco🇲🇲Myanmar🇲🇽Mexico🇲🇾Malaysia🇳🇬Nigeria🇳🇮Nicaragua🇳🇱Netherlands🇳🇴Norway🇵🇦Panama🇵🇪Peru🇵🇭Philippines🇵🇰Pakistan🇵🇱Poland🇵🇹Portugal🇵🇾Paraguay🇷🇴RomaniaRussian Federation🇸🇦Saudi Arabia🇸🇪Sweden🇸🇬Singapore🇹🇭Thailand🇹🇳Tunisia🇹🇷TurkeyTaiwan, Province of ChinaTanzania, United Republic of🇺🇦Ukraine🇺🇸United StatesVenezuela, Bolivarian Republic of🇻🇳Vietnam🇿🇦South Africa🇿🇼Zimbabwe