Since its emergence in February 2025, the NightSpire ransomware group has rapidly distinguished itself through a sophisticated double-extortion strategy that combines targeted encryption with public data leaks.
Initially surfacing in South Korea, the group leveraged vulnerabilities in corporate networks to gain initial access, often exploiting outdated VPN appliances and unpatched Remote Desktop Protocol services.
Once inside, NightSpire deploys customized payloads that scan connected file shares and databases, ensuring maximum impact by prioritizing high-value assets.
The group’s emblematic logo, emblazoned on its Dedicated Leak Site, underscores its professionalized approach to cyber extortion.
.webp "NightSpire Ransomware Group Claims to Exploit The Vulnerabilities of Orgs to Infiltrate Their Systems 3")
Within weeks of its first public disclosure, NightSpire orchestrated attacks against organizations across North America, Asia, and Europe, hitting sectors such as retail and wholesale in the United States, chemical manufacturing in Japan, and maritime logistics in Thailand.
Victims report encrypted extensions renamed to “.nspire,” accompanied by a ransom note named readme.txt in each compromised directory.
ASEC analysts noted that these notes employ highly threatening language and include countdown timers for data release, heightening pressure on victims to negotiate before sensitive information is made public.
As NightSpire’s footprint expanded, security researchers began to dissect its underlying infrastructure.
The ransomware binaries reveal a modular architecture capable of switching between block encryption and full encryption routines depending on file type.
According to reverse engineering by ASEC researchers, large files such as virtual disk images (.vhdx, .vmdk) and archives (.zip) are processed in 1 MB chunks using an AES-CBC block encryption function, while documents and smaller files undergo full-file encryption with the same cipher.
.webp "NightSpire Ransomware Group Claims to Exploit The Vulnerabilities of Orgs to Infiltrate Their Systems 4")
By inserting the AES key at the end of each encrypted file—then securing it with RSA and appending it to the file tail—NightSpire ensures that both automated and manual recovery without payment remain virtually impossible.
Infection Analysis
NightSpire’s infection mechanism hinges on a multi-stage loader that first disables Windows Defender and deletes volume shadow copies to prevent easy rollback.
The loader initiates by querying the OS with the _Stat() function to enumerate accessible files and directories, filtering out system-critical paths to avoid destabilizing the host.
.webp "NightSpire Ransomware Group Claims to Exploit The Vulnerabilities of Orgs to Infiltrate Their Systems 5")
Once the file system map is built, the following pseudocode outlines the encryption decision logic:-
if (ext in {".iso", ".vhdx", ".vmdk", ".zip", ".vib", ".bak", ".mdf", ".flt", ".ldf"}) {
main_EncryptFilev2(filePath, aesKey, rsaPubKey, chunkSize = 1MB);
} else {
main_EncryptFilev1(filePath, aesKey, rsaPubKey);
}After encrypting each target, the loader writes a readme.txt ransom note in the same folder, then communicates success to the group’s command-and-control server over an encrypted Telegram channel.
During this phase, the ransomware also screenshots the desktop and exfiltrates them alongside critical documents, reinforcing its leverage. The result is a rapid, stealthy compromise that leaves traditional detection mechanisms scrambling.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
