Threat Research

Decoding NightSpire: Ransomware IOCs Aren’t Set in Stone

Huntress
Decoding NightSpire: Ransomware IOCs Aren’t Set in Stone
NightSpire ransomware incidents show varying TTPs across separate intrusions, including use of remote access, third‑party tools for data staging and exfiltration, and changes to ransom notes and encryptor hashes over time. These variations complicate attribution and detection, particularly when operations may be run in‑house or as RaaS affiliates. #NightSpire #Huntress

Keypoints

  • NightSpire was observed in multiple incidents between December 2025 and March 2026 with differing TTPs and modified ransomware artifacts (ransom notes and encryptor hashes).
  • Investigations revealed initial access via RDP on at least one endpoint, followed by installation of remote access tools (Chrome Remote Desktop, AnyDesk) and non-native tooling.
  • Threat actors used Everything for file discovery, 7Zip for archiving/data staging, MEGASync for likely exfiltration, and VMWare Workstation and WPS Office for other activities.
  • Two distinct SHA256 hashes for enc.exe were identified from Dec 2, 2025 and Mar 25, 2026, indicating a modified or different encryptor build.
  • Encrypted files used the .nspire extension and ransom note filenames changed between incidents (_nightspire_readme.txt and [nspire_msg].txt).
  • Evidence suggests either an evolution of a single group’s tooling or variation caused by different affiliates (possible RaaS behavior), complicating IoC and TTP reliability.
  • Some RaaS families embed commands to terminate processes or delete Volume Shadow Copies, lowering operational steps required by affiliates; NightSpire incidents also highlight non-native tooling being brought into environments.

MITRE Techniques

  • [T1021.001 ] Remote Desktop Protocol – Used for initial access: (‘the threat actor had accessed one endpoint via RDP several days prior to the Huntress agent being installed’)
  • [T1021 ] Remote Services – Use of third‑party remote access tools for persistence and remote control: (‘foothold signals for Chrome Remoting Desktop and AnyDesk were generated’)
  • [T1047 ] Windows Management Instrumentation – Public reporting indicates use of native utilities/LOLBins like WMI: (‘Publicly available reporting of NightSpire ransomware indicates that attacks have included the use of native utilities, or “LOLBins,” like WMI or PsExec.’)
  • [T1490 ] Inhibit System Recovery – RaaS variants include commands to delete Volume Shadow Copies to impede recovery: (‘launch a PowerShell command, as a child process, to delete available Volume Shadow Copies (VSCs)’)
  • [T1083 ] File and Directory Discovery – Threat actor performed file discovery via Everything to locate items for staging: (‘accessing files via the Everything interface.’)
  • [T1074 ] Data Staged – Use of archival tools to prepare data for exfiltration (7Zip used to archive files): (‘running 7Zip to archive files from a specific folder.’)
  • [T1567.002 ] Exfiltration Over Web Service (Cloud Storage) – Cloud sync tool used for likely data exfiltration (MEGASync observed): (‘running MEGASync, likely for data exfiltration’)

Indicators of Compromise

  • [SHA256 Hash ] File encryptor (enc.exe) – bde50a42efc079edde1a314243ad339db2d42e343fbbcd39117803b0f5960355, ad67031e2ca68764fe1a7d6632c02b02a299d59efb920710011a9a2ccf4399b7
  • [File Extension ] Encrypted files – .nspire
  • [File Name ] Ransom note filenames – _nightspire_readme.txt, [nspire_msg].txt
  • [Email Address ] Attacker contact / tool association – prince1990905@gmail[.]com (associated with Chrome Remoting Desktop activity on 24 & 25 Mar 2026)
  • [File Path ] Threat actor workspace / downloads – C:Users[REDACTED]Downloads (identified as an ops folder on 25 Mar 2026)

Read more: https://www.huntress.com/blog/nightspire-ransomware