Warning About NightSpire Ransomware Following Cases of Damage in South Korea
NightSpire operates a DLS (Dedicated Leak Site) and posts a countdown timer for the public release of information and data about victims. The group is known for using highly threatening language for their cyber extortion. This post describes the analysis and characteristics of NightSpire ransomware.
1. Overview
1.1. NightSpire Threat Group
Figure 1. NightSpire Team logo
NightSpire is a ransomware group that has been active since February 2025. The group is believed to have a very aggressive strategy and a specialized infrastructure, similar to the traditional Ransomware-as-a-Service (RaaS) operating model.
NightSpire operates a Dedicated Leak Site (DLS) where they post information about their victims and a countdown timer for when the data will be publicly released. They use highly threatening language in their cyber threats and offer various communication channels, such as ProtonMail, OnionMail, and Telegram channels, to negotiate with their victims. The group claims to exploit the vulnerabilities of corporations to infiltrate their systems.
NightSpire has targeted corporations in various countries and industries, including retail and wholesale businesses in the U.S., chemical and manufacturing industries in Japan, maritime industry in Thailand, accounting services in the UK, large corporations in China, manufacturing industry in Poland, business services and construction industry in Hong Kong, and technology and financial services in Taiwan.
NightSpire uses a double-extortion strategy to pressure their victims. They encrypt and leak data, demanding ransom payment, and threaten to publicly release the data if the payment is not made. As of now, it is unclear whether the group is entirely new or a rebranding of an existing group.
2. Analysis
Summary
|
Category |
Content |
|---|---|
| Encryption Target | Files and directories that can be accessed normally when the os_Stat() function is called. |
| Encryption Method | Overall Encryption / Block Encryption |
| Ransom Note Creation | Entire folder that has been encrypted |
| Change in Desktop Background | No change |
| Encrypted Extension | .nspire |
| Volume Shadow Deletion | None |
Table 1. Commands used to operate the system
2.2 Encryption Routine
When encrypting files, NightSpire ransomware uses either the block encryption or full encryption method as shown in Table 2. The ransomware generally chooses block encryption for its performance and efficiency.
|
Targeted Extensions |
Encryption Method |
|---|---|
| iso, vhdx, vmdk, zip, vib, bak, mdf, flt, ldf | Block encryption (1MB) |
| Other extensions | Full encryption |
Table 2. Commands used to operate the system
As shown in the code at the bottom of Figure 4, the NightSpire ransomware performs block encryption on the following extensions in 1MB units (main_EncryptFilev2) : iso, vhdx, vmdk, zip, vib, bak, mdf, flt, and ldf. It performs full encryption (main_EncryptFilev1) on other extensions. This means that it uses a block encryption strategy for specific extensions such as large files, images, and virtual disk files to encrypt them more quickly, while using a full encryption strategy for ordinary files.
Encrypted Extensions
The following image shows the infected folder by the NightSpire ransomware. It shows the encrypted files and the ransom note (readme.txt). The encrypted files have the .nspire extension.
Figure 2. Folder infected by NightSpire ransomware
2.4 Encrypted File Structure
Figure 3. Structure of a file infected with NightSpire ransomware. The AES symmetric key used to encrypt the file is inserted at the end of the encrypted file and encrypted with the RSA public key.
Figure 3. Encrypted file structure
AhnLab’s Response Status
The diagnosis name and engine date information of the AhnLab products are shown below.
V3
Ransomware/Win.Nightspire.C5769860 (2025.06.12.02)
Ransomware/Win.Nightspire.C5775165 (2025.07.01.03)
Ransom/MDP.Decoy.M1171 (2016.07.15.02)
Ransom/MDP.Event.M1946 (2018.06.06.00)
Ransom/MDP.Event.M4353 (2022.07.05.00)
EDR
Ransom/EDR.Decoy.M2470 (2022.09.30.00)
Ransom/MDP.Event.M1946 (2018.09.07.03)
[1] https://atip.ahnlab.com/intelligence/view?id=158310d4-0325-4817-a7f1-3f27f0251b4a
[2] https://atip.ahnlab.com/intelligence/view?id=14929925-d74d-4b80-8fca-9f1cd82579ce
