Emerging Threat Actor: NightSpire Ransomware

NightSpire showed up on the radar in early 2025 and wasted no time making itself known. While some early chatter tried to tie them to legacy RaaS crews, this outfit’s clearly doing its own thing. They’re not running a public RaaS operation, and there’s no affiliate program; it’s a closed shop. Every attack so far has been handled in-house, from initial access to extortion. That tells us one thing: NightSpire wants control. Total control.

The ransomware itself is built for Windows targets, but there are signs they’re eyeing Linux and ESXi next. So far, cross-platform deployments haven’t popped off, but it’s coming. Their game is double extortion: encrypt the data, steal the goods, then squeeze victims with a Tor-based leak site. Classic playbook, but they’re tightening the screws with decent technical chops.

Initial access? Think phishing lures, RDP creds, and vulnerable edge apps. Once inside, they move fast: PowerShell, cmd scripts, batch files, all aimed at dropping payloads and punching out security tools. They use AES-256 to lock up files, wrap it with RSA-2048 for key protection, and nuke VSS to kill any shot at easy recovery.  

Mimikatz comes out for credential theft. Then it’s PsExec and WMI for lateral movement, with a side of Advanced IP Scanner to map out the rest of the playground. They’ve got some slick obfuscation, too: launching payloads from temp dirs, renaming processes, hiding persistence in scheduled tasks and registry keys. It’s not groundbreaking, but it’s tight enough to trip up defenders who aren’t paying attention.

Their target list? Mid-sized companies in pro services, healthcare, real estate, and manufacturing, especially ones with weak security and valuable data. Most of the heat has been in North America and Western Europe. It’s not a volume game.  

NightSpire plays it cool, sticking to a low-noise, high-pressure model. About 25–30 victims so far have had their data dumped on the group’s leak site, and their ransoms range from $150K to $2M, depending on how sensitive the stolen data is.

Bottom line: NightSpire isn’t out to build a brand or recruit an army; they’re in it for surgical strikes, quiet disruption, and full-spectrum control. And if you’re in their sights, they’re not showing up with spray paint, they’re bringing bolt cutters and lockpicks.

Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.