NightSpire Ransomware Attack Chain, Tools and Tactics

Key Takeaways

• NightSpire is a ransomware family first identified in early 2025 using double extortion, stealing files before encryption and threatening to leak them on a Tor-based site if victims refuse to pay.
• Between March and June 2025, NightSpire hit at least 64 organizations across 33 countries, with the U.S. leading the victim list, followed by Turkey, Hong Kong, Japan, Taiwan, Mexico, Spain, and Egypt.
• The encryptor is a Go-based executable. It scans directories, appends the .nspire extension to affected files, and drops a ransom note in every folder with encrypted content.
• Operators use legitimate tools for stealth, including Chrome Remote Desktop and AnyDesk for persistence, Everything for file discovery, 7-Zip for archiving, and MEGAsync for exfiltration to MEGA cloud storage.
• You validate your defenses against NightSpire using the Picus Security Validation Platform, which includes threats 79926 (NightSpire Ransomware Download Threat) and 95001 (NightSpire Ransomware Email Threat) in the Picus Threat Library.

NightSpire is an emerging ransomware family first identified in early 2025, employing traditional double extortion techniques: sensitive files are stolen before encryption takes place, and in case of refusal of ransom, the criminals threaten to dump the stolen files on their Tor-based leak website. While impact distribution is global, the U.S. tops the list, followed by Turkey, Hong Kong, Japan, Taiwan, Mexico, Spain, and Egypt [1].

Article Link: NightSpire Ransomware Attack Chain, Tools and Tactics

1 post - 1 participant

Read full topic

Malware Analysis, News and Indicators - Latest topics