nightspire
Ransomware group profile
240Victims
South KoreaSource country
82Impact score
Description
NightSpire is a financially motivated ransomware group that emerged in early 2025, targeting small to medium-sized enterprises across various sectors. The group employs a double extortion strategy, encrypting data after exfiltration, and has operated a Dark Web leak site to threaten the public release of stolen data since March 2025.
Key insights
- •Utilizes a double extortion model by encrypting stolen data and threatening public release.
- •Gains initial access using exploits like CVE-2024-55591, RDP brute-forcing, and phishing.
- •Features a custom ransomware payload written in Go that appends the '.nspire' extension to encrypted files.
- •Employs living-off-the-land techniques, leveraging legitimate tools for data exfiltration.
- •Targets a wide range of industries with ransom demands ranging from $150,000 to $2 million.
- •Rapidly advanced from operational immaturity to a robust operation with Ransomware-as-a-Service offerings.
Threat Level & Status Breakdown
For nightspire · Based on incidents in selected period
4.2threat level
Aggressiveness10/ 10
Lethality0/ 10
Criticality2.2/ 10
Status Breakdown
Claimed17.5%42
First seenJun 2025
Last seenJun 2026
Avg ransom—
Payment rate—
Statusactive
Sophistication0
Last updatedJun 18, 2026
Recent activity
Monthly attack count for nightspire in the selected period
240Total attacks
62peak in Mar
20avg / month
↑ 7 vs first month
Intelligence
IOCs, YARA/Sigma rules, and related families for nightspire
- ad67031e2ca68764fe1a7d6632c02b02a299d59efb920710011a9a2ccf4399b7
- ce56ec0bea8f53b7cc7f938226e96d8668c66611
- c5f526cc62688cf34c49d098dab81e24e4294f832ada57433ef505d5ac6da8f3
- 2e07a4de9e6ba84728fbdf27384ea0b9
- 32e10dc9fe935d7c835530be214142041b6aa25ee32c62648dea124401137ea5
- 94dd3315fca4c31ef61b7865c3b8983f
- bde50a42efc079edde1a314243ad339db2d42e343fbbcd39117803b0f5960355
- 94f73b5dc06ba6705fcef3e759413a747049c2949a0c2e44afc03b2f9989cf73
- 7ffb8a403a298e5b0d5f8bf3c6d119e6
- 0e31379dcb838b619ec1b44dda3fc4cc20596764
- c3804d1329b55a37bfa2f835e1e9bbc7bdb2b260f8e3627c06e02c9f52685d44
- 20cb8d8216061545b0b31ec8bd5f42de
- e275b8a02bf23b565bdaabadb220b39409eddc6b8253eb04e0f092d697e3b53d
- 69f5515ff3f554233840ad2f2397b345f955013017a9ae14ed4e762f52d936af
- f5da096e2ae6079c4670ddd6566244618056a22e
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for nightspire
Other
T1486
T1486
T1490
T1490
T1078
T1078
T1046
T1046
T1021
T1021
T1562
T1562
T1059
T1059
T1105
T1105
T1005
T1005
T1071
T1071
T1027
T1027
T1080
T1080
Victims(200)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| legendsmn(Blue Ox, Paul Bunyan, Lumberjack Electric) | legendsmn.com | US United States | Energy & Utilities | Unknown | 1 day ago | |
| Central Texas ***** ***** | — | — | Other | Unknown | 3 days ago | |
| Ri***** Co**** Europe S.r.l. | — | — | — | Unknown | 3 days ago | |
| G**** R****l*e | — | — | — | Unknown | 4 days ago | |
| A*** G*** A*S* | — | NL Netherlands | — | Unknown | 11 days ago | |
| ASIA STRATEGIC | — | SG Singapore | Professional Services | Unknown | 11 days ago | |
| B****S I******t***l | — | — | Professional Services | Unknown | 4 days ago | |
| Unique Litho, Inc | uniquelitho.com | US United States | Manufacturing | Unknown | 11 days ago | |
| Sheraton Miramar Resort El Gouna | elgouna.com | EG Egypt | Hospitality | Unknown | 4 days ago | |
| Guy E******* & F*******, P.A | — | — | Financial Services | Unknown | 3 days ago | |
| dean cosmetic dentistry | deancosmeticdentistry.com | US United States | Healthcare | Unknown | 1 day ago | |
| K****** County. Mi**e**ta | — | US United States | Government & Defense | Unknown | 5 days ago | |
| GRIP Outreach For Youth | gripyouth.com | US United States | Education | Unknown | 11 days ago | |
| Silsbee Police Department | silsbeeisd.org | US United States | Government & Defense | Unknown | 5 days ago | |
| Blue Nile Medical Center | bluenilemedical.com | US United States | Healthcare | Unknown | 5 days ago | |
| basatamfi | — | EG Egypt | Professional Services | Unknown | 25 days ago | |
| Si**** West J******* | — | CU Cuba | Technology | Unknown | 26 days ago | |
| Sierra West Jewelers | — | US United States | Retail & E-Commerce | Unknown | 8 days ago | |
| la familia adualt day center | lafamiliaadultdaycenter.com | US United States | Healthcare | Unknown | 26 days ago | |
| First Mutual Holdings | firstmutual.co.zw | ZW Zimbabwe | Financial Services | Unknown | 14 days ago |
Page 1 of 10
Affected countries(69)
Countries where this group has been reported to target or leak victims.
🇦🇪United Arab Emirates🇦🇷Argentina🇦🇹Austria🇦🇺Australia🇧🇩Bangladesh🇧🇪Belgium🇧🇷Brazil🇧🇾Belarus🇨🇦Canada🇨🇭Switzerland🇨🇱Chile🇨🇳China🇨🇴Colombia🇨🇷Costa Rica🇨🇿Czech Republic🇩🇪Germany🇪🇨Ecuador🇪🇬Egypt🇪🇸Spain🇫🇷France🇬🇧United Kingdom🇬🇪Georgia🇬🇷Greece🇭🇰Hong Kong🇭🇷Croatia🇭🇺Hungary🇮🇩Indonesia🇮🇱Israel🇮🇳India🇮🇶Iraq🇮🇹Italy🇯🇴Jordan🇯🇵JapanKorea, Republic of🇰🇼Kuwait🇰🇿Kazakhstan🇱🇹Lithuania🇱🇺Luxembourg🇲🇦Morocco🇲🇲Myanmar🇲🇽Mexico🇲🇾Malaysia🇳🇬Nigeria🇳🇮Nicaragua🇳🇱Netherlands🇳🇴Norway🇵🇦Panama🇵🇪Peru🇵🇭Philippines🇵🇰Pakistan🇵🇱Poland🇵🇹Portugal🇵🇾Paraguay🇷🇴RomaniaRussian Federation🇸🇦Saudi Arabia🇸🇪Sweden🇸🇬Singapore🇹🇭Thailand🇹🇳Tunisia🇹🇷TurkeyTaiwan, Province of ChinaTanzania, United Republic of🇺🇦Ukraine🇺🇸United StatesVenezuela, Bolivarian Republic of🇻🇳Vietnam🇿🇦South Africa🇿🇼Zimbabwe