— NightSpire¶
Threat-actor battle card · maintained from public sources · last updated 2026-06-23
Overview¶
NightSpire is a financially motivated ransomware operation active since early 2025 that runs its operations in-house rather than through an affiliate-based RaaS model — a less common structure that gives it tighter operational control. It has claimed 283+ victims across 28 industries as of June 2026, posting 74 victims on its DLS in Q1 2026 alone. Healthcare is a recurring target across multiple countries.
Tradecraft¶
- Double-extortion: exfiltrate then encrypt; threatens publication and third-party data sale when deadlines expire.
- Aggressive ransom deadlines, sometimes as short as two days.
- Targets organisations across healthcare, consumer services, manufacturing, and professional services.
- No confirmed initial-access vector published by authoritative sources to date.
Notable recent victims¶
- Artistic Smiles (US, consumer services) — DLS, June 2026
- Dean Cosmetic Dentistry (US, healthcare) — DLS, June 2026 (attack est. May 2025)
Assessment¶
A self-contained operator with a consistently escalating victim count. The in-house model makes affiliate disruption ineffective — no affiliate network to penetrate or flip. Healthcare targeting and two-day extortion deadlines make it a high-severity risk for providers with thin incident-response capacity.
Sources¶
- Barracuda Networks — NightSpire: Wannabe warlords in ransomware's shadow realm
- AttackIQ — Emulating the Persuasive NightSpire Ransomware
- HivePro — NightSpire Ransomware Expands Reach with Aggressive Extortion Deadlines
- Picus Security — NightSpire Ransomware Attack Chain, Tools and Tactics
🗂️ Attacks & victims¶
All disclosed victims attributed to this actor, newest first.
June 2026