A new ransomware strain called NightSpire has emerged as a significant threat since its discovery in early 2025, employing double-extortion tactics that combine data encryption with data theft. The malware encrypts victim files while simultaneously exfiltrating sensitive information, which attackers threaten to publish on a Tor-based leak site if ransom payments are not received.

NightSpire represents the latest evolution in ransomware operations that have moved beyond simple encryption to include data theft and public shaming tactics. This double-extortion approach puts additional pressure on victims, as organizations face both operational disruption from encrypted systems and potential regulatory penalties or reputational damage from data exposure. The ransomware has demonstrated rapid growth in its first three months of operation.

The malware's technical approach centers on abusing Remote Desktop Protocol (RDP) to maintain stealthy persistence on compromised networks. By leveraging RDP, attackers can maintain long-term access to victim systems while blending in with legitimate remote administration traffic. This technique allows threat actors to move laterally within networks, escalate privileges, and deploy the ransomware payload when conditions are optimal for maximum impact.

The use of RDP for persistence makes NightSpire particularly dangerous for organizations that rely heavily on remote access infrastructure. Many businesses expanded their RDP deployments during the shift to remote work, creating a larger attack surface. Poorly secured RDP endpoints with weak credentials or missing security controls provide easy entry points for ransomware operators.

Security teams should immediately review and harden RDP configurations across their environments. Critical steps include enforcing multi-factor authentication on all remote access points, restricting RDP access to specific IP addresses or VPN connections, and implementing network segmentation to limit lateral movement. Organizations should also deploy endpoint detection and response tools capable of identifying suspicious RDP activity, maintain offline backups that ransomware cannot reach, and ensure incident response plans specifically address double-extortion scenarios.

Source: https://gbhackers.com/nightspire-ransomware-abuses-rdp/