A ransomware threat called NightSpire is making waves across dozens of industries and countries, using a surprisingly simple but effective approach to break into systems and lock victims out of their own data. First identified in early 2025, NightSpire has already hit hospitals, schools, government offices, and financial institutions alike. What makes it stand out is not just what it encrypts, but how quietly it moves before anyone notices.
NightSpire operates through a double extortion model. Attackers first steal sensitive files from the victim’s environment, then encrypt everything in sight. If the victim refuses to pay, the criminals threaten to publish the stolen data on a Tor-based leak website. Between March and June 2025, NightSpire hit at least 64 organizations across 33 countries, with the United States topping the victim list, followed by Turkey, Hong Kong, Japan, Taiwan, Mexico, Spain, and Egypt.
Initial Access via RDP
NightSpire gains initial access through Remote Desktop Protocol (RDP), a legitimate Windows feature used by IT teams around the world every day. Once inside, instead of deploying custom backdoors that might trigger security alerts, attackers install widely trusted remote administration software to maintain a steady foothold on compromised machines.
On compromised endpoints, AnyDesk was found installed as both a Windows service and a startup shortcut, ensuring it launched automatically on every reboot. In another variation, the attackers deployed Chrome Remote Desktop linked to a Google account under their control. Because these tools are legitimate and commonly used for IT support, they are far less likely to raise flags in security monitoring.
Data Exfiltration and Encryption
Before triggering encryption, NightSpire operators spend time harvesting valuable data. Targeted folders are compressed into password-protected archives using 7-Zip, reducing the number of files that need to be transferred out while protecting the stolen data from interception.
The Go-based encryptor is then launched, walking through every accessible drive and path, renaming each file with the .nspire extension and dropping ransom notes throughout the system. Notably, the malware also encrypts OneDrive files without changing their extensions, a behavior that can easily catch victims off guard since the files appear normal in the cloud interface until an attempt is made to open them.
Broad Sector Targeting
According to analysis by Picus Security, the attacks span a wide range of sectors, from healthcare and education to manufacturing, hospitality, IT services, and logistics. No industry appears off-limits. The global spread of victims points to a well-coordinated and motivated threat operation. In just three months, operators logged over 45 victims on their own Tor-based leak blog.
How to Protect Your Organization
Defending against NightSpire requires addressing the initial entry point and the persistence mechanisms simultaneously:
- Restrict RDP access — expose it only through a VPN or zero-trust gateway, never directly to the internet
- Enforce multi-factor authentication on all remote access solutions
- Monitor and restrict remote administration software — AnyDesk, TeamViewer, and Chrome Remote Desktop should only be permitted when explicitly approved
- Alert on new startup entries and unexpected service installations
- Monitor 7-Zip usage for large-scale archive creation, which can indicate pre-exfiltration staging
- Maintain offline backups that cannot be reached from compromised systems
Security teams can also simulate NightSpire attack patterns against their own defenses using breach and attack simulation platforms to find and close gaps before real attackers do.