TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Decoding NightSpire: Ransomware IOCs Aren't Set in Stone

2026-04-07 · Read original ↗

ATT&CK techniques detected

17 predictions
T1486Data Encrypted for Impact
100%
", 7zip, and megasync, and we know that the threat actor viewed some files via everything, but we do not have the evidence to validate the statement that “ 2. 5tb ” of data was taken, nor the actual content of the files taken. previous nightspire incident it turns out that this wa…"
T1486Data Encrypted for Impact
99%
"decoding nightspire : ransomware iocs aren ' t set in stone our industry has a ransomware actor categorization problem. news articles will frequently feature splashy headlines like “ akira ransomware group targets critical infrastructure. ” however, the reality is that akira, and…"
T1486Data Encrypted for Impact
99%
", indicators and tactics, techniques, and procedures ( ttps ) will vary from one attack to another, even when the files are encrypted by the same ransomware. particularly for mssps and mdrs, while there may be a cluster of attacks across their customer base that include the same …"
T1486Data Encrypted for Impact
99%
"the most recent incident investigated by huntress, this does not appear to be the case. in fact, the threat actor, be they “ the nightspire ransomware group ” or an affiliate, appears to have had to “ truck in ” all of their tooling, including chrome remoting desktop and anydesk …"
T1486Data Encrypted for Impact
99%
"the akira file encryptor is widely known to launch a powershell command, as a child process, to delete available volume shadow copies ( vscs ). in 2020, sodinokibi samples were found to include 156 unique embedded commands to terminate processes and services associated with anti …"
T1486Data Encrypted for Impact
98%
"endpoint, and then running everything, from which the threat actor could then be seen, based on process lineage, accessing files via the everything interface. the threat actor could then be seen running 7zip to archive files from a specific folder. the following day, the threat a…"
T1486Data Encrypted for Impact
93%
"these differences may indicate an evolution of the ransomware itself, or they could represent variation due to affiliates distributing nightspire. while it remains to be seen as to whether or not nightspire follows a raas model, the varying ttps in these incidents show that indic…"
T1219Remote Access Tools
86%
"##as ) model ”. it ’ s possible that this is less about confusion, and more about an evolution of the structure and model of the group itself. but why does it ultimately make a difference from the perspective of defenders? nightspire incident at the end of march 2026, the huntres…"
T1080Taint Shared Content
76%
"endpoint, and then running everything, from which the threat actor could then be seen, based on process lineage, accessing files via the everything interface. the threat actor could then be seen running 7zip to archive files from a specific folder. the following day, the threat a…"
T1486Data Encrypted for Impact
66%
"##as ) model ”. it ’ s possible that this is less about confusion, and more about an evolution of the structure and model of the group itself. but why does it ultimately make a difference from the perspective of defenders? nightspire incident at the end of march 2026, the huntres…"
T1679Selective Exclusion
55%
", indicators and tactics, techniques, and procedures ( ttps ) will vary from one attack to another, even when the files are encrypted by the same ransomware. particularly for mssps and mdrs, while there may be a cluster of attacks across their customer base that include the same …"
T1219Remote Access Tools
49%
"endpoint, and then running everything, from which the threat actor could then be seen, based on process lineage, accessing files via the everything interface. the threat actor could then be seen running 7zip to archive files from a specific folder. the following day, the threat a…"
T1679Selective Exclusion
40%
", 7zip, and megasync, and we know that the threat actor viewed some files via everything, but we do not have the evidence to validate the statement that “ 2. 5tb ” of data was taken, nor the actual content of the files taken. previous nightspire incident it turns out that this wa…"
T1021.001Remote Desktop Protocol
38%
"##as ) model ”. it ’ s possible that this is less about confusion, and more about an evolution of the structure and model of the group itself. but why does it ultimately make a difference from the perspective of defenders? nightspire incident at the end of march 2026, the huntres…"
T1080Taint Shared Content
36%
"the most recent incident investigated by huntress, this does not appear to be the case. in fact, the threat actor, be they “ the nightspire ransomware group ” or an affiliate, appears to have had to “ truck in ” all of their tooling, including chrome remoting desktop and anydesk …"
T1059.001PowerShell
35%
"the akira file encryptor is widely known to launch a powershell command, as a child process, to delete available volume shadow copies ( vscs ). in 2020, sodinokibi samples were found to include 156 unique embedded commands to terminate processes and services associated with anti …"
T1080Taint Shared Content
34%
", 7zip, and megasync, and we know that the threat actor viewed some files via everything, but we do not have the evidence to validate the statement that “ 2. 5tb ” of data was taken, nor the actual content of the files taken. previous nightspire incident it turns out that this wa…"

Summary

A recent incident linked to the NightSpire ransomware workflow gives insight into why the RaaS structure and model, or lack thereof, are important – especially when it comes to scoping and recovering from the incident.