Summary
NightSpire is a Go-based ransomware family first observed in early 2025 that uses a double-extortion model, stealing data before encryption and threatening to publish it on a Tor-based leak site. The ransomware appends a .nspire extension to encrypted files and places ransom notes in each affected directory, including folders tied to OneDrive. Its operators rely on legitimate remote administration tools to maintain access and use publicly available utilities for discovery, archiving, and exfiltration. Between March and June 2025, the campaign impacted at least 64 organizations across 33 countries.
Investigation
The investigation showed that attackers commonly gained initial access through exposed RDP and then installed Chrome Remote Desktop and AnyDesk as persistent services. They used Everything to quickly locate files, 7-Zip to build password-protected archives, and MEGAsync to upload stolen data to MEGA cloud storage. The Go-based encryptor ran under conhost.exe, enumerated all available drives, and encrypted files while leaving OneDrive filenames unchanged. The extortion phase relied on a Tor-hosted leak site used to pressure victims after exfiltration.
Mitigation
Organizations should reduce or eliminate direct RDP exposure, monitor for unexpected deployment of legitimate remote administration tools as services, and apply application allow-listing to binaries such as Chrome Remote Desktop and AnyDesk. Behavioral detections should focus on mass file enumeration, archive creation, and unusual uploads to cloud storage services. Regular backups and tested recovery procedures remain essential, and network controls should block known MEGA upload endpoints. Defenses can also be validated through controlled ransomware simulation exercises such as those offered by Picus.
Response
If NightSpire activity is detected, isolate the affected endpoint immediately, terminate the encryptor process, and collect volatile memory for analysis. Disable any malicious services, remove persisted remote access tools, and block related network communication. Recovery should proceed from trusted backups, and relevant stakeholders should be notified. The incident should also be reported to law enforcement, while defenders continue monitoring the associated Tor leak site for signs of published data.
