NightSpire Ransomware Expands Reach with Aggressive Extortion Deadlines

NightSpire Ransomware: Global Double-Extortion Campaign Targeting Multiple Industries

Summary

First observed in February 2025, the NightSpire ransomware group has rapidly emerged as a significant global threat. Operating under a Ransomware-as-a-Service (RaaS) model, NightSpire has targeted industries across retail, manufacturing, healthcare, chemicals, finance, maritime, education, and more. Victims are located worldwide, spanning the United States, Japan, United Kingdom, China, India, Brazil, Canada, Australia, South Korea, and over a dozen other countries.

The group leverages vulnerabilities like CVE-2024-55591 in FortiOS, along with RDP brute force attacks and phishing campaigns, to gain initial access. Once inside, NightSpire uses LOLBins (PowerShell, PsExec, WinSCP, WMI) and credential dumping tools like Mimikatz to escalate privileges, move laterally, and exfiltrate sensitive data.

Files are encrypted with the “.nspire” extension using hybrid AES/RSA routines, and ransom notes threaten both encryption and data leaks on a dedicated leak site (DLS) with deadlines as short as two days, applying extreme pressure on victims.

Attack Details

The NightSpire ransomware payload, written in Go, uses obfuscation methods such as AES, RC4, and XOR to evade detection. Before encryption, data is exfiltrated via WinSCP and MEGACmd to attacker-controlled infrastructure. Victims then face double-extortion: pay the ransom or face data publication on NightSpire’s leak site.

Key tactics include:

• Exploitation of FortiOS zero-day CVE-2024-55591 for initial access.

• Living-off-the-land (LOLBins) for stealthy lateral movement and privilege escalation.

• Hybrid encryption using block-level for large files (.iso, .vhdx, .zip) and full encryption for others.

• Extortion tactics reinforced by aggressive countdown timers on leak sites.

Unlike some ransomware, NightSpire does not alter desktop backgrounds or remove volume shadow copies, but its encryption process makes recovery extremely challenging.

Recommendations

• Patch and secure remote access: Apply updates for firewalls, VPNs, and FortiOS devices. Restrict RDP, enforce MFA, and monitor login anomalies.

• Harden endpoints and servers: Deploy EDR/XDR to detect tampering, unauthorized processes, and encryption patterns (.nspire file creation). Use AppLocker or WDAC for application control.

• Segment networks and control traffic: Isolate critical systems, enforce firewall policies, and block outbound connections to malicious domains, Tor nodes, and C2 servers.

• Backups and recovery readiness: Maintain regular offline backups, test restoration processes, and ensure availability of clean recovery paths to avoid ransom payments.

Indicators of Compromise (IoCs)

MD5 Hashes

• 2bf543faf679a374af5fc4848eea5a98

• e2d7d65a347b3638f81939192294eb13

• 35cefe4bc4a98ad73dda4444c700aac9

• f749efde8f9de6a643a57a5b605bd4e7

• 0170601e27117e9639851a969240b959

SHA1 Hash

• 7a4aee1910b84c6715c465277229740dfc73fa39

SHA256 Hashes

• 35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7

• 32e10dc9fe935d7c835530be214142041b6aa25ee32c62648dea124401137ea5

• d5f9595abb54947a6b0f8a55428ca95e6402d2aeb72cbc109beca457555a99a6

TOR Addresses

• hxxp[://]nspireyzmvapgiwgtuoznlafqvlyz7ey6himtgn5bdvdcowfyto3yryd[.]onion/

• hxxp[://]nspireyzmvapgiwgtuoznlafqvlyz7ey6himtgn5bdvdcowfyto3yryd[.]onion/datas[.]php

• hxxp[://]a2lyiiaq4n74tlgz4fk3ft4akolapfrzk772dk24iq32cznjsmzpanqd[.]onion/

• hxxp[://]nspiremkiq44zcxjbgvab4mdedyh2pzj5kzbmvftcugq3mczx3dqogid[.]onion/

• hxxp[://]nspirebcv4sy3yydtaercuut34hwc4fsxqqv4b4ye4xmo6qp3vxhulqd[.]onion/database

IPv4

• 14[.]139[.]185[.]60

Email Addresses

• night[.]spire[.]team[@]gmail[.]com

• night[.]spire[.]team[@]proton[.]me

• night[.]spire[.]team[@]onionmail[.]org

• nightspireteam[.]receiver[@]proton[.]me

• nightspireteam[.]receiver[@]onionmail[.]org

Filenames

• 7z2408-x64.exe

• 7zG.exe

• 7z.exe

Hostnames

• WINDOWS-DTX-8GB

• XDRAGON-SERVER1

TOX ID

• 3B61CFD6E12D789A439816E1DE08CFDA58D76EB0B26585AA34CDA617C41D5943CDD15DB0B7E6

MITRE ATT&CK TTPs

• Initial Access: T1190 (Exploit Public-Facing Applications), T1110 (Brute Force)

• Execution: T1059 (Command & Scripting Interpreter), T1059.001 (PowerShell)

• Privilege Escalation: T1068 (Exploitation for Privilege Escalation)

• Defense Evasion: T1036 (Masquerading), T1218 (System Binary Proxy Execution), T1027 (Obfuscation)

• Credential Access: T1003 (Credential Dumping), T1003.001 (LSASS Memory)

• Discovery: T1046 (Network Service Discovery), T1083 (File and Directory Discovery), T1482 (Domain Trust Discovery)

• Lateral Movement: T1021 (Remote Services), T1021.001 (RDP), T1021.002 (SMB)

• Collection: T1567.002 (Exfiltration to Cloud Storage)

• Exfiltration: T1041 (Exfiltration over C2 Channel), T1567 (Exfiltration over Web Services)

• Command and Control: T1573 (Encrypted Channel), T1583.006 (Web Services), T1078 (Valid Accounts)

• Impact: T1486 (Data Encrypted for Impact), T1485 (Data Destruction)

References

• AhnLab ASEC – NightSpire Ransomware

• Cyble – NightSpire Ransomware Group

• S-RM – Ransomware in Focus: NightSpire

• SOCRadar – NightSpire Profile

• WatchGuard – NightSpire Tracker

• Hive Pro – Fortinet CVE-2024-55591 Advisory

• Fortinet Patch FG-IR-24-535