NightSpire Ransomware has emerged as a serious threat to enterprises in Vietnam and worldwide. Since early 2025, NightSpire has proven to be more than just another ransomware strain — it is the creation of a highly organized cybercriminal group, operating with ruthless strategies and professional-level attacks.

Understanding NightSpire’s attack mechanisms and its level of sophistication is the first crucial step in building effective defense strategies to protect your enterprise’s digital assets.

What is NightSpire Ransomware and why is it dangerous?

NightSpire operates under the “Double Extortion” model — one of the most dangerous tactics today.

How NightSpire Operates

NightSpire uses Hybrid Encryption, combining both Block and Full encryption techniques:

- Block Encryption: Encrypts only 1MB segments of large, critical files (.iso, .vhdx, .zip, .bak, .mdf, etc.) for fast impact.

- Full Encryption: Encrypts smaller files like documents and images entirely, making recovery nearly impossible.

File structure after encryption

When infected, NightSpire changes file extensions to.nspire and creates areadme.txt containing victim UUID and contact channels.

Impact on Cloud Data

NightSpire can affect synced cloud files such as OneDrive, encrypting them locally and forcing upload of encrypted versions — overwriting clean backups.

Indicators of Compromise (IoCs)

Below are key indicators to support detection and incident response:

Ransomware/Win.Nightspire.C5769860
Ransomware/Win.Nightspire.C5775165
Ransom/MDP.Decoy.M1171

Ransom/EDR.Decoy.M2470
Ransom/MDP.Event.M1946

MD5: 2bf543faf679a374af5fc4848eea5a98
MD5: e2d7d65a347b3638f81939192294eb13

What enterprises must do today