What is NightSpire ransomware?
NightSpire is a ransomware threat group that first appeared in February 2025. Initially focused on data theft and extortion, the group adopted a full double extortion model within weeks of launching its dark web leak site on March 12, 2025. Double extortion combines data theft with file encryption, pressuring victims through both operational disruption and the threat of public data exposure.
The group is likely a rebrand of the earlier Rbfs ransomware operation, which ceased activity as NightSpire emerged. Evidence supporting this connection includes overlapping victims on both groups’ leak sites, shared infrastructure, and the cessation of all Rbfs-related activity coinciding with NightSpire’s launch. NightSpire operates as a closed group, handling all attacks in-house from initial access through extortion, rather than following a Ransomware-as-a-Service model.
The ransomware payload is written in Go (Golang) and appends the .nspire extension to encrypted files. Ransom demands have been reported in the range of $150,000 to $2 million.Â
Who does NightSpire target?
NightSpire ransomware targeting is opportunistic rather than sector-specific. The group exploits organizations with exposed external assets and weak security postures regardless of industry.
Geographically, the United States accounts for the largest share of known victims, followed by India, Hong Kong, Taiwan, and Japan. Attacks have been reported across more than 30 countries spanning North America, Europe, Asia-Pacific, the Middle East, Africa, and Latin America.
By industry, manufacturing and technology/IT services are the most frequently affected sectors, followed by financial services, healthcare, business services, and construction. Notable incidents include attacks against healthcare institutions in the UAE, Taiwan, and Peru, as well as government entities in South Africa and Taiwan. However, no sector is exempt: victims also include organizations in education, retail, logistics, and hospitality.
The overwhelming majority of victims are SMEs with limited cybersecurity infrastructure. These organizations frequently operate without dedicated security teams, leaving gaps in patching, monitoring, and threat detection. These conditions align precisely with NightSpire’s vulnerability-driven access methods.
The group has maintained a sustained operational tempo throughout late 2025 and into early 2026, accumulating over 150 claimed victims worldwide. Periodic large batches of victim postings on the leak site in a single day have placed NightSpire among the most active ransomware operations during those periods.
How NightSpire gains initial access
NightSpire gains initial access primarily through CVE-2024-55591, a critical authentication bypass vulnerability affecting certain versions of FortiOS and FortiProxy.
The vulnerability exists in the Node.js WebSocket module of FortiGate firewall appliances. By sending crafted requests, an unauthenticated attacker can gain super-admin privileges and obtain full control of the device without valid credentials. Fortinet disclosed the flaw on January 14, 2025, by which point hundreds of thousands of internet-facing devices running vulnerable versions were exposed globally. Exploitation by various threat actors was observed as early as November 2024.
NightSpire also employs several secondary access methods:
- RDP brute-force and credential stuffing against exposed remote desktop services
- Phishing campaigns using malicious attachments or drive-by downloads disguised as browser or security software updates
- Exploitation of other vulnerable VPN appliances and unpatched edge devices
- MFA fatigue attacks combined with VPN credential brute-forcing
- RMM platform abuse through compromised managed service providers (MSPs)
The diversity of access vectors means the group will exploit whichever path of least resistance is available in a given environment.
Attack lifecycle: from access to encryption
Once inside a network, the group follows a structured three-phase attack chain: lateral movement and privilege escalation, data exfiltration, and encryption.
Phase 1: lateral movement and privilege escalation
NightSpire relies heavily on living-off-the-land (LOLBins) techniques, using built-in system tools to blend in with normal administrative activity and reduce the likelihood of triggering endpoint detection alerts. The primary LOLBins include PowerShell for command execution, PsExec for remote process deployment, and Windows Management Instrumentation (WMI) for lateral movement.Â
The group supplements these with third-party tools. Credential harvesting is performed using Mimikatz, which extracts passwords, hashes, and Kerberos tickets from memory to enable escalation to domain admin privileges. Everything.exe is used to enumerate files and directories across the network. AnyDesk is deployed for persistent remote access. The group also establishes persistence through scheduled tasks and registry run keys to maintain access across system reboots.
Phase 2: data exfiltration
Before deploying encryption, NightSpire exfiltrates sensitive data as leverage for its extortion demands. Files are packaged into encrypted archives with 7-Zip, then transferred to attacker-controlled infrastructure using WinSCP, MEGACmd, or Rclone.
Phase 3: encryption and ransom deployment
The encryption payload is a Go-based binary that employs RC4 and XOR obfuscation to evade static analysis. The group also uses extended sleep intervals between encryption operations to avoid triggering real-time detection, and performs log manipulation and temporary file cleanup after payload execution. The group uses a hybrid encryption strategy optimized for speed:
- Block encryption (in 1 MB units) for large file types: .iso, .vhdx, .vmdk, .zip, .vib, .bak, .mdf, .flt, and .ldf
- Full encryption for all other file extensions
Each file is encrypted with a unique AES symmetric key, which is then encrypted with the attacker’s RSA public key and appended to the file. Encrypted files receive the .nspire extension, and a ransom note titled readme.txt is dropped in affected directories. NightSpire also encrypts files stored in OneDrive cloud storage without changing file extensions, making cloud compromise harder to detect.
Hi, Your hotel is hacked!
Your servers and files are locked and copied.
===================================
REMEMBER!
We also locked files in OneDrive.
And we did not change the extensions of files in OneDrive.
===================================
You cannot decrypt yourself without our key, even you’re using third party software or from help of security companies.
Please do not waste your time.
Your files will be easily decrypted with pay. Never worry.
We’re waiting here with UUID [snip]
Method * : [email protected]
Method 1 : Our qTox ID
3B61CFD6E12D789A439816E1DE08CFDA58D76EB0B26585AA34CDA617C41D5943CDD15DB0B7E6
Method 2 : Browse our Onion Site with Tor Browser
http://nspiremki***************gq3mczx3dqogid.onion
http://a2lyiiaq4***************kolapfrzk772dk24iq32cznjsmzpanqd.onion
We’re waiting here with UUID ***************
Extortion tactics and victim communication
NightSpire operates a Tor-based Dedicated Leak Site (DLS) that serves as the central platform for its extortion campaigns. The site is organized as a structured database listing victim company names, breach dates, and countdown timers indicating ransom payment deadlines, sometimes as short as 48 hours.
The group uses multiple communication channels to negotiate with victims, including ProtonMail, OnionMail, Telegram, qTox, and custom Tor-hosted chat portals. Negotiation tactics include offers to delete stolen data and demonstrations of decryption capability as proof that recovery is possible. When payment deadlines expire, NightSpire publishes victim data as free downloads on its DLS and, in some cases, threatens to sell the data to third parties.
However, several indicators suggest that NightSpire’s operational maturity does not match its aggressive posture. The group has used Gmail addresses to communicate with victims, a significant tradecraft weakness that creates a larger digital footprint and increases susceptibility to law enforcement action. Examination of the leak site has revealed visible infrastructure fingerprints, including exposed Apache, OpenSSL, and PHP version information, providing technical intelligence that could support countermeasures or takedown efforts. Collectively, these operational errors suggest a group that lacks the tradecraft maturity of established ransomware operations.
Indicators of compromise and detection guidance
Indicators of compromise observed in NightSpire incidents
The following indicators have been observed in confirmed NightSpire intrusions.
| Indicator | Context |
|---|---|
| .nspire file extension on encrypted files | Primary NightSpire artifact. |
| OneDrive files encrypted without extension change | Files appear normal but fail to open. Delays detection of cloud compromise. |
| Ransom note readme.txt with Tor chat links and qTox ID | Dropped in affected directories. Contains negotiation portal URLs and victim identifiers. |
| [email protected], [email protected], [email protected], [email protected] | Contact emails observed in victim communications and ransom notes. Gmail usage is a tradecraft weakness. ProtonMail and OnionMail are the primary negotiation channels. |
| qTox ID: 3B61CFD6E12D789A439816E1DE08CFDA58D76EB0B26585AA34CDA617C41D5943CDD15DB0B7E6 | Encrypted messaging contact provided in ransom notes. |
Attack chain indicators
NightSpire uses widely available tools that many threat actors also employ. These are not unique to the group, but their combined presence, especially alongside the identification markers above, should trigger investigation.
| Stage | Key indicators |
|---|---|
| Initial access | Unauthorized super-admin accounts on FortiGate (CVE-2024-55591). Unexplained firewall policy changes. VPN/RDP brute-force patterns. |
| Credential access | Mimikatz execution or LSASS memory access. |
| Discovery | AD enumeration from unexpected sources. Everything.exe on servers where it was not installed. PowerShell file enumeration. |
| Lateral movement | PsExec service creation (PSEXESVC.exe) across multiple hosts. WMI remote execution from a single source. Unauthorized AnyDesk installations. |
| Exfiltration | 7-Zip archives followed by outbound WinSCP, MEGACmd, or Rclone transfers. Unusual data volumes leaving the network. |
Priority detection combinations
Individual indicators above may have legitimate explanations in isolation. The following sequences are characteristic of a NightSpire ransomware intrusion and should trigger immediate containment:
- FortiOS compromise → internal reconnaissance: Unauthorized admin account on a FortiGate device, followed by VPN access from an unrecognized source and Everything.exe or PowerShell enumeration on internal systems. This is NightSpire’s primary kill chain entry point via CVE-2024-55591.
- Staging → exfiltration: Everything.exe execution on a server, followed by 7-Zip archive creation, followed by outbound WinSCP, MEGACmd, or Rclone connections. This three-step sequence is NightSpire’s standard data theft workflow and typically precedes the encryption phase.
- Credential dump → lateral spread: Mimikatz or LSASS access on a domain controller, followed by PsExec or WMI execution targeting multiple endpoints in rapid succession. This indicates NightSpire is preparing to deploy the encryption payload across the environment.
- Endpoint encryption → cloud files corrupted but unchanged: .nspire files appearing on local systems while OneDrive files simultaneously become inaccessible without extension changes. This combination indicates that NightSpire uses parallel encryption of local and cloud storage.
Defense and response
Preventive controls
The following checklist is derived directly from NightSpire ransomware’s observed tactics, techniques, and procedures. Organizations without existing cybersecurity defenses or an incident response plan should prioritize establishing them before an attack occurs.
- Patch FortiOS and FortiProxy. Apply the patches documented in Fortinet’s advisory for CVE-2024-55591. For FortiOS, this means version 7.0.17 or later. Audit FortiGate devices for unauthorized administrative accounts and unexplained configuration changes.
- Restrict and monitor remote access. Disable unused RDP services. Enforce multi-factor authentication on all VPN and RDP access points. Restrict RDP to dedicated jump hosts and monitor for brute-force login attempts.
- Harden endpoint defenses. Deploy EDR/XDR solutions capable of detecting unauthorized tool execution and file encryption behavior. Use application control policies (AppLocker or WDAC) to block unsigned Go binaries. Monitor for .nspire file creation and readme.txt drops.
- Control lateral movement. Implement least privilege access across all accounts. Segment critical network zones. Monitor and restrict execution of PowerShell, PsExec, and WMI. Block WinSCP and MEGACmd where they are not required for business operations.
- Protect backup and cloud storage. Maintain backups following the 3-2-1-1-0 strategy: three copies, two media types, one offsite, one offline, and zero unverified restores. Monitor OneDrive accounts for unauthorized encryption activity. Verify that OneDrive version history is active and retains sufficient previous file versions to support recovery.
- Monitor for exfiltration. Watch for unusual outbound data volumes to MEGA cloud storage, WinSCP, or Rclone-based transfers. Block connections to known malicious domains, Tor exit nodes, and C2 infrastructure.
- Prepare incident response playbooks aligned to NightSpire’s attack chain. Pre-configure automated host isolation for confirmed ransomware indicators and establish escalation procedures for the detection combinations described above.
- Train employees. Conduct awareness training focused on phishing campaigns that disguise malware as browser updates or security software.
If you are already infected
If NightSpire ransomware has been deployed in your environment, the following steps should be taken immediately:
- Isolate affected systems from the network to prevent further lateral spread.
- No public decryptor is currently available.Â
- Understand the risks before considering payment. Paying a ransom does not guarantee decryption, may fund further criminal operations, and can expose your organization to additional legal and regulatory risk. Weighing the pros and cons of paying ransomware is critical before making any decision.
- Preserve all evidence, including system logs, ransom notes, and encrypted file samples. This evidence is critical for digital forensics investigations and potential law enforcement action.
- Check Volume Shadow Copies. In observed incidents, NightSpire has not deleted shadow copies, meaning partial or full recovery from VSS snapshots may be possible.
- Check OneDrive version history. Microsoft 365’s built-in versioning and ransomware-detection features may enable recovery of cloud-stored files.
- Engage a professional response team to contain the breach, conduct forensic analysis, and support recovery around the clock.
- Report the incident to law enforcement, including the FBI’s Internet Crime Complaint Center (IC3) and CISA.
Understanding how to handle a ransomware attack in its early stages can significantly reduce the scope of damage and accelerate recovery.
