Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
NightSpire ransomware recovery team on standby
NightSpire emerged in February 2025 and claimed over 150 victims within weeks, enforcing a 48-hour payment deadline before publishing stolen data on its dark-web leak site. Do not attempt negotiation or containment alone — isolate all affected systems immediately and engage UnderDefense's incident response team.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a NightSpire attack can make a huge difference and help you make a full recovery. Request 24/7 NightSpire ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
NightSpire differentiates itself through ultra-aggressive payment deadlines (2 days) and countdown timers on leak site (3-90 days depending on victim). This tactic pressurizes victim organizations to bypass proper incident response and pay quickly, reducing negotiation leverage and law enforcement coordination opportunity.
NightSpire operates as Ransomware-as-a-Service, recruiting affiliates to conduct intrusions and providing customized malware builders. The model enables rapid scaling and geographic diversification of attacks. Affiliates conduct both vulnerability exploitation and social engineering, executing attacks across diverse sectors simultaneously.
NightSpire primary initial access comes via phishing campaigns delivering credential-stealing malware or exploiting FortiOS vulnerability (CVE-2024-55591). RDP brute force is secondary but common for organizations with weak password policies. The group prioritizes credential compromise over exploit sophistication.
NightSpire uses PowerShell, PsExec, WinSCP, and WMI (Windows Management Instrumentation) for lateral movement and data exfiltration, minimizing custom malware deployment and evading signature-based detection. Legitimate tool abuse complicates forensic attribution.
Over 1/3 of NightSpire victims are manufacturing organizations, suggesting deliberate sector focus due to operational technology criticality and ransom payment capacity. The group may conduct preliminary research on victim OT infrastructure to maximize leverage.
No legitimate public decryptor exists. NightSpire uses AES/RSA hybrid encryption (exact algorithms vary by variant). Recovery requires offline backups or ransom payment. Law enforcement coordination is recommended; NightSpire infrastructure may be vulnerable to seizure given rapid growth and visible leak site.
Search for .nspire file extensions and readme.txt ransom notes appearing in affected directories. Monitor for Mimikatz execution, PowerShell credential dumping, WinSCP data movement, and FortiOS vulnerability exploitation attempts. Watch leak site for victim indicators.
File Extensions
.nspire, .nspire2024 (variant-dependent)
Ransom Note Filenames
readme.txt (simple naming); some variants include victim ID in filename
NightSpire Hashes
SHA256 hashes vary significantly due to RaaS affiliate variation. Monitor for behavioral indicators rather than static signatures. Known Mimikatz and PowerShell variants can be identified by command-line arguments.
NightSpire Tools
Reconnaissance: Shodan, Censys for public-facing service discovery
Phishing: Custom credential stealers, malicious Office documents
Exploitation: CVE-2024-55591 (FortiOS), RDP brute force
Credential Dumping: Mimikatz, LSASS process access
Lateral Movement: PowerShell, PsExec, administrative shares, WMI
Data Exfiltration: WinSCP, rclone (configured via affiliate)
Encryption: AES/RSA hybrid (customizable per affiliate)
Most Common Red Flag
Sudden appearance of .nspire files across network shares, combined with readme.txt ransom notes, Mimikatz process execution, and WinSCP data movement to external hosts. Often preceded by phishing emails or failed RDP login attempts from diverse source IPs (brute force attacks).
Attack vector | % of NightSpire incidents | Notes |
Phishing with Credential Stealer | 40% | Malicious attachments delivering info-stealing malware |
FortiOS Vulnerability (CVE-2024-55591) | 30% | Exploitation of unpatched Fortinet appliances |
RDP Brute Force | 20% | Weak password attack across internet-facing RDP |
Supply Chain/IAB Access | 10% | Initial Access Brokers selling compromised credentials |
A manufacturing organization ignored ransom deadline and paid 2 weeks later at 5x the initial demand. A healthcare organization paid within 48 hours; data was released on 3 separate forums within 1 week despite payment. One maritime company engaged law enforcement; FBI coordination identified NightSpire C2 infrastructure, resulting in partial key recovery before complete data staging.
Isolate all systems showing .nspire file extensions from network immediately. Scan for and terminate Mimikatz processes and WinSCP connections. Disable all compromised user accounts; force password reset network-wide. Restore from verified offline backups. Monitor for re-infection attempts via failed RDP login monitoring and phishing attack patterns.
Recovery from offline backups is required; assume all credentials compromised. Rotate all credentials before bringing systems back online. Implement network segmentation to isolate critical data. Monitor for re-infection attempts for 90+ days, focusing on phishing, RDP access patterns, and credential access from unusual geographies. Engage law enforcement immediately—NightSpire infrastructure may enable key recovery.
NightSpire demands typically range from $150,000 to $2,000,000 for SMEs, with manufacturing organizations receiving higher demands based on perceived ransom capacity. Aggressive 2-day deadlines suggest the gang prefers rapid payment over negotiation. Reported settlement rates are 30-40% of initial demand when negotiation occurs.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowNightSpire is a Ransomware-as-a-Service group that emerged in February 2025 and launched its public leak site March 12, 2025, assessed as a rebrand of the Rbfs operation. The group claims 150+ victims across manufacturing, finance, healthcare, maritime, and other sectors, operating with aggressive 2-day payment deadlines and countdown timers on its leak site. NightSpire uses AES/RSA hybrid encryption and conducts double extortion through data exfiltration and public victim exposure. The group leverages CVE-2024-55591 in FortiOS, phishing with credential stealers, and RDP brute force for initial access.
Attribution analysis suggests Eastern European or Russian-based operations based on infrastructure patterns, operational tempo, and ransom communication preferences. The RaaS model suggests the operator seeks distance from actual attacks through affiliate recruitment. No definitive nation-state affiliation has been published; group appears financially motivated with rapid operational scaling.
NightSpire gains initial access through phishing campaigns delivering credential-stealing malware, exploitation of CVE-2024-55591 in unpatched Fortinet appliances, or RDP brute force against weak passwords. Affiliates establish persistence, conduct reconnaissance using Shodan or public vulnerability databases, exfiltrate sensitive data via WinSCP or rclone, and deploy the AES/RSA hybrid encryption ransomware. The aggressive 2-day deadline pressurizes organizations to pay before proper incident response coordination.
From initial phishing delivery or vulnerability exploitation to ransom note deployment, NightSpire attacks average 3-10 days of dwell time, allowing for credential access and data exfiltration. The 2-day payment deadline begins upon ransom note delivery, not initial compromise, forcing organizations into rapid crisis response decision-making.
No legitimate public decryptor exists. NightSpire uses AES/RSA hybrid encryption, which is cryptographically secure. Law enforcement coordination may enable key recovery from seized infrastructure, given NightSpire’s rapid operational growth and visible leak site infrastructure. Ransom payment offers no guarantee of data deletion—the gang publishes data on multiple forums despite payment in 50%+ of cases.
All files encrypted with .nspire extension become inaccessible. The gang publishes victim names, company logos, and sample data on their leak site with countdown timers (3-90 days) indicating permanent data release. Manufacturing and healthcare targets face severe operational disruption—production halts, patient care interruptions, supply chain failures. The aggressive deadline forces hasty payment decisions without proper negotiation.
Patch all Fortinet appliances within 48 hours of CVE release; CVE-2024-55591 is actively exploited. Enforce MFA on all RDP, VPN, and administrative accounts to prevent brute force attacks. Conduct monthly phishing simulations; train employees to identify credential-stealing attachments. Disable or restrict internet-facing RDP; use jump hosts instead. Monitor for unusual data movement via WinSCP or rclone. Maintain offline, immutable backups tested quarterly.
– Patch Fortinet FortiOS appliances immediately upon CVE-2024-55591 release notification
– Enforce MFA on all RDP, VPN, and administrative accounts
– Monitor for RDP brute force attempts; implement account lockout policies
– Implement email filtering to block credential-stealing attachments
– Conduct monthly phishing simulations with security awareness training
– Disable or restrict internet-facing RDP; use jump hosts with logging
– Monitor for WinSCP and rclone execution; restrict to trusted administrative users
– Maintain offline, encrypted backup copies tested quarterly
– Implement EDR with detection rules for Mimikatz execution
– Establish incident response plan with ransomware negotiation specialist contact information
Aggressive 2-day deadlines serve tactical and psychological purposes:
1) Pressurize organizations to skip proper incident response and negotiate directly
2) Reduce time for law enforcement coordination that may enable key recovery
3) Increase likelihood of hasty ransom payment without negotiation leverage
4) Maximize ransom velocity by preventing extended negotiation cycles
5) Create organizational chaos and decision-making errors through time pressure
NightSpire’s explicit focus on 2-day deadlines and aggressive countdown timers on the public leak site differentiates it from standard RaaS groups that maintain longer negotiation windows. The volume of claimed victims (150+ by early 2026) suggests rapid scaling of affiliate recruitment. The manufacturing sector focus (>33% of victims) indicates deliberate vertical targeting rather than indiscriminate affiliate attacks.