NightSpire, a ransomware group active since February 2025, employs an aggressive strategy and specialized infrastructure similar to Ransomware-as-a-Service models. They operate a Dedicated Leak Site, posting victim information and countdown timers for data release. Using highly threatening language, NightSpire offers various communication channels for negotiations. The group targets corporations across multiple countries and industries, employing a double-extortion strategy of encrypting and leaking data. NightSpire ransomware uses block encryption for specific file types and full encryption for others, adding the .nspire extension to encrypted files. The ransomware inserts the AES symmetric key at the end of encrypted files, further secured by RSA public key encryption. Author: AlienVault
Related Tags:
NightSpire
double-extortion
encryption
south korea
Chemical
Thailand
Construction
China
T1489
Associated Indicators:
32E10DC9FE935D7C835530BE214142041B6AA25EE32C62648DEA124401137EA5
989DAAB910436B48F422FE60DAA17A95A486E87D
072147D034E6DB2DB9F81BC9B74E0E59B79A1EE6
E2D7D65A347B3638F81939192294EB13
2BF543FAF679A374AF5FC4848EEA5A98