NightSpire

NightSpire is a ransomware threat group first observed in February 2025. Reporting in the provided content describes it as initially focused on data theft and extortion, later evolving from exfiltration-only extortion to double extortion, including encryption after theft. It is also described as a closed-group operation and has been noted for OneDrive cloud encryption capability. The group operated a leak site by March 12, 2025 and used ProtonMail, OnionMail, Telegram, qTox, and Tor hidden services for victim communications; one ransom note used the contact address nightspireteam.receiver@onionmail.org and stated that OneDrive files were also locked without changing their extensions. The content links NightSpire to exploit-driven access and names WinSCP and Everything.exe among tools associated with rising groups including NightSpire. VulnCheck associates NightSpire with exploitation of Fortinet FortiOS CVE-2024-55591, alongside DragonForce, Hunters International, Qilin, RansomHub, and SuperBlack. Broader reporting in the content also places NightSpire among groups active in the first half of 2025 and among emerging groups whose activity increased sharply in March 2026. Victimology in the provided content indicates a primary focus on U.S. targets, with additional activity in Europe and against small and medium-sized enterprises. Specifically mentioned victims or claimed victims include Hyatt Place Chelsea New York hotel, Commune d’Ardon in France, Green Flame Gas Co in Kuwait, CAMI in the United States, and Nippon Ceramic. The Hyatt-related reporting states NightSpire allegedly leaked 48.5 GB of data from the Hyatt Place Chelsea New York hotel. Other cited victim lists include Hydro Vacuum, Baily International of Atlanta, Tophe, Raja Ferry Port Public, Far East Consortium International, Business Ledger Limited, and Tanaka Holdings. The content consistently characterizes NightSpire as a ransomware/extortion operation; no nation-state attribution is provided.