NightSpire is a ransomware group active since February 2025 that operates a Dedicated Leak Site (DLS) with countdown timers and uses highly threatening extortion language while offering ProtonMail, OnionMail, and Telegram channels for negotiations. Their double-extortion operations target corporations across multiple countries and industries, using block encryption for large/virtual-disk-type files and full encryption for other files, appending an RSA-encrypted AES key to encrypted files. #NightSpire #.nspire
Keypoints
- NightSpire has been active since February 2025 and appears to operate with a RaaS-like, specialized infrastructure.
- The group maintains a Dedicated Leak Site (DLS) with countdown timers and uses highly threatening language to pressure victims.
- NightSpire uses a double-extortion model: encrypting files and threatening to publicly leak stolen data if ransoms are not paid.
- Targets span multiple countries and industries, including U.S. retail/wholesale, Japan chemical/manufacturing, Thailand maritime, UK accounting, China large corporations, Poland manufacturing, Hong Kong business/construction, and Taiwan tech/financial services.
- Encryption methods include block encryption (1MB blocks) for large/virtual disk-type extensions (iso, vhdx, vmdk, zip, vib, bak, mdf, flt, ldf) and full-file encryption for other extensions.
- Encrypted files receive the .nspire extension and contain the AES symmetric key appended to the file and encrypted with an RSA public key.
- AhnLab detection names and engine updates indicate vendor detections and provided sample MD5 hashes for the ransomware.
MITRE Techniques
- [T1486] Data Encrypted for Impact β NightSpire encrypts files using full-file and block (1MB) encryption methods and appends an RSA-encrypted AES key to encrypted files (βThe AES symmetric key used to encrypt the file is inserted at the end of the encrypted file and encrypted with the RSA public key.β).
- [T1490] Inhibit System Recovery β Volume shadow deletion: None reported, but ransomware typical behavior described in context of encryption and ransom note creation (βVolume Shadow Deletion Noneβ).
- [T1176] Browser Extensions / External Communication Channels β Use of ProtonMail, OnionMail, and Telegram channels to negotiate with victims (βoffer various communication channels, such as ProtonMail, OnionMail, and Telegram channels, to negotiate with their victims.β).
- [T1598] Data from Information Repositories (Exfiltration for impact/leak site) β Operation of a Dedicated Leak Site (DLS) to publish victim data and countdown timers to pressure victims (βNightSpire operates a Dedicated Leak Site (DLS) where they post information about their victims and a countdown timer for when the data will be publicly released.β).
Indicators of Compromise
- [File Extension] Encrypted files β .nspire (encrypted files in infected folders, ransom note readme.txt shown)
- [File Hash] Sample ransomware binaries β MD5: 2bf543faf679a374af5fc4848eea5a98, e2d7d65a347b3638f81939192294eb13
- [File Names] Ransom note β readme.txt (displayed in infected folders alongside .nspire files)
- [Targeted Extensions] Encryption targets β iso, vhdx, vmdk, zip, vib, bak, mdf, flt, ldf (block-encrypted in 1MB units) and other extensions (full encryption)
Read more: https://asec.ahnlab.com/en/89913/