Full Report
NightSpire is a ransomware family first identified in early 2025 using double extortion, stealing files before encryption and threatening to leak them on a Tor-based site if victims refuse to pay. Between March and June 2025, NightSpire hit at least 64 organizations across 33 countries, with the U.S. leading the victim list, followed by Turkey, Hong Kong, Japan, Taiwan, Mexico, Spain, and Egypt. The encryptor is a Go-based executable. It scans directories, appends the .nspire extension to affected files, and drops a ransom note in every folder with encrypted content. Operators use legitimate tools for stealth, including Chrome Remote Desktop and AnyDesk for persistence, Everything for file discovery, 7-Zip for archiving, and MEGAsync for exfiltration to MEGA cloud storage.
Analysis Summary
# Tool/Technique: NightSpire Ransomware
## Overview
NightSpire is a professional ransomware-as-a-service (RaaS) family first identified in early 2025. It employs a "double extortion" strategy, whereby threat actors exfiltrate sensitive data before initiating the encryption process. Victims are threatened with the public release of their data on a Tor-based leak site if the ransom demands are not met. The group is highly active globally, targeting a wide range of industries across over 30 countries.
## Technical Details
- **Type**: Malware family (Ransomware)
- **Platform**: Windows (Go-based executable)
- **Capabilities**: Directory scanning, file encryption, data exfiltration, persistence via legitimate remote access tools, and automated discovery.
- **First Seen**: Early 2025
## MITRE ATT&CK Mapping
- **[TA0003 - Persistence]**
- [T1219 - Remote Access Software] (AnyDesk, Chrome Remote Desktop)
- **[TA0007 - Discovery]**
- [T1083 - File and Directory Discovery] (Everything.exe)
- **[TA0009 - Collection]**
- [T1560.001 - Archive via Utility] (7-Zip)
- **[TA0010 - Exfiltration]**
- [T1567.002 - Exfiltration to Cloud Storage] (MEGAsync/MEGA)
- **[TA0040 - Impact]**
- [T1486 - Data Encrypted for Impact] (Go-based encryptor)
## Functionality
### Core Capabilities
- **Go-based Encryption**: Uses a high-performance Go-based encryptor that recursively scans directories and encrypts files.
- **File Extension**: Appends the `.nspire` extension to all successfully encrypted files.
- **Ransom Placement**: Drops a ransom note (typically a text file) in every folder containing encrypted content to ensure high visibility for the victim.
### Advanced Features
- **LOLBIN/Legitimate Tool Usage**: Instead of custom backdoors, the operators leverage legitimate software (AnyDesk, Chrome Remote Desktop) to maintain persistence and evade detection.
- **Efficient Discovery**: Utilizes the "Everything" search tool to rapidly locate high-value files for exfiltration.
- **Automated Exfiltration**: Uses MEGAsync to automate the transfer of large volumes of stolen data to MEGA cloud storage before encryption begins.
## Indicators of Compromise
- **File Hashes**: *Specific MD5/SHA256 hashes were not provided in the source text; however, typical Go-based binaries will have high entropy and large file sizes.*
- **File Names**:
- `Everything.exe` (Unauthorized use of the search tool)
- `MEGAsync.exe`
- **Registry Keys**: *Expected keys associated with AnyDesk or Chrome Remote Desktop persistence.*
- **Network Indicators**:
- `mega[.]nz` (Data exfiltration)
- Tor-based leak site (Specific `.onion` address defanged)
- **Behavioral Indicators**:
- Mass file renaming via appending `.nspire`.
- Excessive outbound traffic to cloud storage providers.
- Creation of ransom notes in multiple directories.
## Associated Threat Actors
- **NightSpire Operators**: Currently characterized as a distinct group, though they share tactical similarities with variants like Warlock, BlackCat, and Akira.
## Detection Methods
- **Signature-based detection**: Identification of the Go-based encryptor strings and the `.nspire` file extension.
- **Behavioral detection**: Monitoring for "search-archive-exfiltrate" patterns, specifically the execution of `7z.exe` followed by `MEGAsync.exe`.
- **SIEM/EDR Alerts**: Detect the installation of unauthorized remote desktop software (AnyDesk/Chrome RD) in environments where they are not standard.
## Mitigation Strategies
- **Prevention**: Implement application whitelisting (AppLocker) to prevent the execution of unauthorized tools like `Everything.exe` or `MEGAsync.exe`.
- **Hardening**: Restrict the use of remote access tools to authorized VPNs and MFA-protected sessions.
- **Data Protection**: Maintain offline, immutable backups and implement egress filtering to block unauthorized cloud storage providers.
## Related Tools/Techniques
- **Warlock / BlackCat**: Similar Go-based ransomware architectures.
- **Akira / Black Basta**: Similar double-extortion operational models.
- **7-Zip / AnyDesk**: Frequently abused legitimate tools for lateral movement and data staging.