What to do if you're hit by ransomware?

Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:

1
Do NOT fix it yourself
2
Disconnect affected systems
3
Call us +1 332 331 8700

Contact us now for urgent ransomware response assistance, 24/7

Get Help Now
Frame

Experts. Finalists. Winners.

Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.

Momentum Leader in MDR

Best Support in MDR & IR

Managed Detection and Response (MDR)

Top Cybersecurity Company 
2025

Best Managed Detection and Response Service

#4 of 184 teams Splunk Boss of the SOC

Best Of Cybersecurity Awards for Q1 2025

AWS Partner

Splunk Manage Premier Partner

Image (11) (1)

Why you shouldn’t attempt 
to fix it alone

Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.

Taking the right steps in the first moments after a NightSpire attack can make a huge difference and help you make a full recovery. Request 24/7 NightSpire ransomware recovery services to decrypt your data and maximize your chances of restoring operations.

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

NightSpire ransomware statistics & facts

NightSpire Decryptor
NightSpire IOCs
NightSpire Attack Vectors
Case Outcomes
How to Remove NightSpire Ransomware
How to Recover from NightSpire Ransomware
Ransom Amounts
NightSpire Decryptor

No legitimate public decryptor exists. NightSpire uses AES/RSA hybrid encryption (exact algorithms vary by variant). Recovery requires offline backups or ransom payment. Law enforcement coordination is recommended; NightSpire infrastructure may be vulnerable to seizure given rapid growth and visible leak site.

NightSpire IOCs

Search for .nspire file extensions and readme.txt ransom notes appearing in affected directories. Monitor for Mimikatz execution, PowerShell credential dumping, WinSCP data movement, and FortiOS vulnerability exploitation attempts. Watch leak site for victim indicators.

File Extensions
.nspire, .nspire2024 (variant-dependent)

Ransom Note Filenames
readme.txt (simple naming); some variants include victim ID in filename

NightSpire Hashes
SHA256 hashes vary significantly due to RaaS affiliate variation. Monitor for behavioral indicators rather than static signatures. Known Mimikatz and PowerShell variants can be identified by command-line arguments.

NightSpire Tools
Reconnaissance: Shodan, Censys for public-facing service discovery
Phishing: Custom credential stealers, malicious Office documents
Exploitation: CVE-2024-55591 (FortiOS), RDP brute force
Credential Dumping: Mimikatz, LSASS process access
Lateral Movement: PowerShell, PsExec, administrative shares, WMI
Data Exfiltration: WinSCP, rclone (configured via affiliate)
Encryption: AES/RSA hybrid (customizable per affiliate)

Most Common Red Flag
Sudden appearance of .nspire files across network shares, combined with readme.txt ransom notes, Mimikatz process execution, and WinSCP data movement to external hosts. Often preceded by phishing emails or failed RDP login attempts from diverse source IPs (brute force attacks).

NightSpire Attack Vectors

Attack vector

% of NightSpire incidents

Notes

Phishing with Credential Stealer

40%

Malicious attachments delivering info-stealing malware

FortiOS Vulnerability (CVE-2024-55591)

30%

Exploitation of unpatched Fortinet appliances

RDP Brute Force

20%

Weak password attack across internet-facing RDP

Supply Chain/IAB Access

10%

Initial Access Brokers selling compromised credentials

Powered By WP Table Builder
Case Outcomes

A manufacturing organization ignored ransom deadline and paid 2 weeks later at 5x the initial demand. A healthcare organization paid within 48 hours; data was released on 3 separate forums within 1 week despite payment. One maritime company engaged law enforcement; FBI coordination identified NightSpire C2 infrastructure, resulting in partial key recovery before complete data staging.

How to Remove NightSpire Ransomware

Isolate all systems showing .nspire file extensions from network immediately. Scan for and terminate Mimikatz processes and WinSCP connections. Disable all compromised user accounts; force password reset network-wide. Restore from verified offline backups. Monitor for re-infection attempts via failed RDP login monitoring and phishing attack patterns.

How to Recover from NightSpire Ransomware

Recovery from offline backups is required; assume all credentials compromised. Rotate all credentials before bringing systems back online. Implement network segmentation to isolate critical data. Monitor for re-infection attempts for 90+ days, focusing on phishing, RDP access patterns, and credential access from unusual geographies. Engage law enforcement immediately—NightSpire infrastructure may enable key recovery.

Ransom Amounts

NightSpire demands typically range from $150,000 to $2,000,000 for SMEs, with manufacturing organizations receiving higher demands based on perceived ransom capacity. Aggressive 2-day deadlines suggest the gang prefers rapid payment over negotiation. Reported settlement rates are 30-40% of initial demand when negotiation occurs.

Our customers say it best

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frequently asked questions

What Is NightSpire Ransomware?

NightSpire is a Ransomware-as-a-Service group that emerged in February 2025 and launched its public leak site March 12, 2025, assessed as a rebrand of the Rbfs operation. The group claims 150+ victims across manufacturing, finance, healthcare, maritime, and other sectors, operating with aggressive 2-day payment deadlines and countdown timers on its leak site. NightSpire uses AES/RSA hybrid encryption and conducts double extortion through data exfiltration and public victim exposure. The group leverages CVE-2024-55591 in FortiOS, phishing with credential stealers, and RDP brute force for initial access.

Where Is NightSpire Based?

Attribution analysis suggests Eastern European or Russian-based operations based on infrastructure patterns, operational tempo, and ransom communication preferences. The RaaS model suggests the operator seeks distance from actual attacks through affiliate recruitment. No definitive nation-state affiliation has been published; group appears financially motivated with rapid operational scaling.

How Does NightSpire Attack?

NightSpire gains initial access through phishing campaigns delivering credential-stealing malware, exploitation of CVE-2024-55591 in unpatched Fortinet appliances, or RDP brute force against weak passwords. Affiliates establish persistence, conduct reconnaissance using Shodan or public vulnerability databases, exfiltrate sensitive data via WinSCP or rclone, and deploy the AES/RSA hybrid encryption ransomware. The aggressive 2-day deadline pressurizes organizations to pay before proper incident response coordination.

How Long Do NightSpire Attacks Last?

From initial phishing delivery or vulnerability exploitation to ransom note deployment, NightSpire attacks average 3-10 days of dwell time, allowing for credential access and data exfiltration. The 2-day payment deadline begins upon ransom note delivery, not initial compromise, forcing organizations into rapid crisis response decision-making.

Can NightSpire Files Be Decrypted?

No legitimate public decryptor exists. NightSpire uses AES/RSA hybrid encryption, which is cryptographically secure. Law enforcement coordination may enable key recovery from seized infrastructure, given NightSpire’s rapid operational growth and visible leak site infrastructure. Ransom payment offers no guarantee of data deletion—the gang publishes data on multiple forums despite payment in 50%+ of cases.

What Happens After NightSpire Encryption?

All files encrypted with .nspire extension become inaccessible. The gang publishes victim names, company logos, and sample data on their leak site with countdown timers (3-90 days) indicating permanent data release. Manufacturing and healthcare targets face severe operational disruption—production halts, patient care interruptions, supply chain failures. The aggressive deadline forces hasty payment decisions without proper negotiation.

How Can Organizations Prevent NightSpire?

Patch all Fortinet appliances within 48 hours of CVE release; CVE-2024-55591 is actively exploited. Enforce MFA on all RDP, VPN, and administrative accounts to prevent brute force attacks. Conduct monthly phishing simulations; train employees to identify credential-stealing attachments. Disable or restrict internet-facing RDP; use jump hosts instead. Monitor for unusual data movement via WinSCP or rclone. Maintain offline, immutable backups tested quarterly.

NightSpire Prevention Checklist

– Patch Fortinet FortiOS appliances immediately upon CVE-2024-55591 release notification
– Enforce MFA on all RDP, VPN, and administrative accounts
– Monitor for RDP brute force attempts; implement account lockout policies
– Implement email filtering to block credential-stealing attachments
– Conduct monthly phishing simulations with security awareness training
– Disable or restrict internet-facing RDP; use jump hosts with logging
– Monitor for WinSCP and rclone execution; restrict to trusted administrative users
– Maintain offline, encrypted backup copies tested quarterly
– Implement EDR with detection rules for Mimikatz execution
– Establish incident response plan with ransomware negotiation specialist contact information

Why Does NightSpire Enforce Such Aggressive 2-Day Deadlines?

Aggressive 2-day deadlines serve tactical and psychological purposes:
1) Pressurize organizations to skip proper incident response and negotiate directly
2) Reduce time for law enforcement coordination that may enable key recovery
3) Increase likelihood of hasty ransom payment without negotiation leverage
4) Maximize ransom velocity by preventing extended negotiation cycles
5) Create organizational chaos and decision-making errors through time pressure

What Makes NightSpire Different from Other RaaS Groups?

NightSpire’s explicit focus on 2-day deadlines and aggressive countdown timers on the public leak site differentiates it from standard RaaS groups that maintain longer negotiation windows. The volume of claimed victims (150+ by early 2026) suggests rapid scaling of affiliate recruitment. The manufacturing sector focus (>33% of victims) indicates deliberate vertical targeting rather than indiscriminate affiliate attacks.