Emulating the Persuasive NightSpire Ransomware

MITRE Techniques

• [T1105 ] Download and Transfer of Files – NightSpire samples are downloaded and saved to disk for testing delivery prevention (“The Nightspire Ransomware Sample (SHA256: c5f526cc… ) is first downloaded and then saved to disk in two separate scenarios to test network and endpoint controls”).
• [T1124 ] System Time Discovery – The malware checks system time via the GetSystemTimeAsFileTime API to obtain UTC time for profiling (“This scenario simulates checking system time using the GetSystemTimeAsFileTime Windows API, which returns the current UTC time.”).
• [T1012 ] Query Registry – NightSpire retrieves MachineGUID from the registry using reg query to establish a unique victim identifier (“It targets the MachineGUID entry within the HKLMSOFTWAREMicrosoftCryptography registry key which contains a unique identifier of the system.”).
• [T1082 ] System Information Discovery – The ransomware gathers system information via APIs such as GetSystemInfo, GetComputerNameExW, GetLogicalDrives, and FindFirstVolumeW to profile hosts and enumerate storage (“This scenario executes the GetSystemInfo Windows native API call to retrieve system information.”).
• [T1033 ] Account Discovery (System Owner/User Discovery) – NightSpire retrieves the logged-in user and account name using GetUserNameW/GetUserNameExW to build host context (“This scenario executes the GetUserNameW Windows native API call to retrieve the account name associated with the local computer.”).
• [T1016 ] System Network Configuration Discovery – The malware calls GetAdaptersInfo to enumerate network adapters and connectivity (“This scenario executes GetAdaptersInfo Windows native API call to retrieve adapter information from the local computer.”).
• [T1057 ] Process Discovery – NightSpire enumerates running processes using CreateToolhelp32Snapshot and iterates with Process32FirstW/Process32NextW (“This scenario executes the CreateToolhelp32SnapshotWindows native API call to receive a list of running processes and iterates through each process object with Process32FirstW and Process32NextW.”).
• [T1007 ] Service Discovery – The ransomware queries service status using QueryServiceStatusEx and EnumDependentServices to identify active services (“This scenario executes the QueryServiceStatusEx and EnumDependentServices Windows API calls to retrieve information corresponding to a given service.”).
• [T1120 ] Drive Type Discovery – NightSpire uses GetDriveTypeW to determine information about physical disks and storage targets (“This scenario retrieves information about the system’s physical disks using the GetDriveTypeW Windows API call.”).
• [T1083 ] File and Directory Discovery – The malware enumerates the file system with FindFirstFileW and FindNextFileW to identify files for encryption (“This scenario executes the FindFirstFileW and FindNextFileW Windows native API calls to enumerate the file system.”).
• [T1486 ] Data Encrypted for Impact – NightSpire performs file encryption (AES-256 CBC and RSA-2048) and appends the .nspire extension, using partial block encryption for large files and full encryption for smaller files (“This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by NightSpire ransomware.”).
• [T1003 ] Credential Dumping – AttackIQ recommends emulating obfuscated Mimikatz to replicate NightSpire-style credential dumping (“This scenario utilizes an obfuscated version of Mimikatz to dump passwords and hashes for Windows accounts.”).
• [T1021.002 ] Lateral Movement: Remote Services (PAExec) – Emulation includes lateral movement using PAExec (PSExec-like) to move across hosts (“This scenario simulates lateral movement within a network using PAExec, an open-source version of PSExec.”).
• [T1047 ] Lateral Movement via WMI – NightSpire emulation covers lateral movement using WMI to execute commands on remote assets (“This scenario attempts to move laterally to any available asset inside the network through the use of WMI.”).