Warning About NightSpire Ransomware Following Cases of Damage in South Korea
Essential information
- Published
- 01/09/2025 09:53
- Modified
- 01/09/2025 10:34
- Tags
- 2025-08-29 2025-09-01 aes cyber-extortion dedicated leak site double-extortion encryption nightspire ransomware rsa south korea
- Related entities
- 2 observables, 1 intrusion sets (apt), 8 techniques (mitre), 1 malware, 15 others
Description
NightSpire, a ransomware group active since February 2025, employs an aggressive strategy and specialized infrastructure similar to Ransomware-as-a-Service models. They operate a Dedicated Leak Site, posting victim information and countdown timers for data release. Using highly threatening language, NightSpire offers various communication channels for negotiations. The group targets corporations across multiple countries and industries, employing a double-extortion strategy of encrypting and leaking data. NightSpire ransomware uses block encryption for specific file types and full encryption for others, adding the .nspire extension to encrypted files. The ransomware inserts the AES symmetric key at the end of encrypted files, further secured by RSA public key encryption.