Nightspire — Ransom Notes

These are the actual ransom notes used by the nightspire ransomware group when communicating with victims. Ransom notes are left on compromised systems to inform victims of the attack and provide instructions for payment. Studying these notes helps security professionals understand threat actor tactics and communication patterns.

Disclaimer: These notes are displayed for educational and research purposes only. The URLs and contact methods mentioned in these notes are operated by criminal organizations. Do not interact with them. Source: Ransomware.live

NightSpire Encryption Notice Your internal servers and backup & virtual infrastructure have been fully compromised. All your files encrypted by NIGHTSPIRE Ransomware. You have 72 hours to respond. The initial payment for decryption and file deletion is 30000 USD in Bitcoin. This amount is based on your annual revenue, and this is notably less amount than all of your past hard work and effort to develop all of your products. However, the amount can be renegotiated depending on the circumstances. Our Discount Service Includes: - If you respond within 48 hours, we will provide you 30% discount as service. - If you respond within 24 hours, we will provide you 50% discount as service. "The faster you pay, the lower the ransom." That's our motto. Failure to cooperate will result in public disclosure. We possess a complete list of files and document samples that serve as proof of the access. You can see the decryption demo video and the list of copied files on our website. ------------------- About NightSpire – Cooperate: The Win-Win Resolution ------------------- Full Decryption Tool + Instructions: Universal binary decrypts all affected systems in hours. Data Deletion Proof: Timestamped logs, blockchain-verified wipe certificates—your data erased forever. Secrecy Assurances: No traces online; we expunge all references post-deal. Bonus: Security Audit Report: Detailed breach vector analysis + fixes, valued at $50K+ from legit firms. Payment Flexibility: Crypto (BTC We Offer), staged if needed—processed by our financial team. NightSpire isn't a lone hacker in a basement. We're a structured syndicate with standard operating procedures, support desks, recruiters, and analysts—like a Fortune 500 but optimized for cyber efficiency. Our reputation demands we deliver: victims who pay get results, building trust for mutual long-term gains. Non-payment erodes that, but cooperation upholds it. Security researchers and reputation confirm, we're a fully fledged cyber group... built to monetize. We honor deals to ensure repeat business across the ecosystem. --------------------------- WHAT HAPPENS IF YOU DON'T PAY ------------------------------- - The hacked news about your company will be posted on our Onion site. - Source codes of your all software products will be open source. - Your clients and partners may be notified about the data breach. - The data may be shared or sold to third parties. - You will permanently lose access to your encrypted data. - We will not provide any decryption tools or support. ----------------------------------------- CAUTION --------------------------------------------- >>> Important – Do Not DO NOT modify files. DO NOT use third-party tools. Unncessary activities cause permanent loss of your data. AES-256/RSA-4096 = impossible without our key. >>> WARNING – NO INTERMEDIARIES Do NOT use recovery or negotiation companies. They are middlemen who profit from deception. For example: They charged victims $1M Secretly negotiated with us for $200K Kept $800K for themselves. Contacting us directly = 5× lower cost. Middlemen only steal from you. Deal direct. Pay less. Resolve faster. >>> IMPORTANT – INSURANCE NOTICE Do NOT involve your cyber insurance company directly. They will sabotage negotiations to avoid paying the full policy amount. If your coverage is $10M, they will offer us $100K. We will reject it. They will refuse to increase. Result: no payment, full data leak, total damage — for you. If you anonymously inform us of your insurance limits and terms, we will NOT exceed that amount in negotiations. This guarantees: • Fast resolution • Data deletion • Full decryption • No public leak Silence only benefits the insurer. Transparency benefits you. Choose wisely. >>> CONSEQUENCES OF DATA LEAK If your data is leaked: • Government fines (GDPR, compliance, tax authorities) • Lawsuits from clients and partners • Criminal abuse of employee and customer identities • Bank fraud, loan fraud, money laundering • FBI investigations and legal exposure • Competitor espionage and business sabotage • Employee poaching and loss of trade secrets • Permanent reputation destruction Your company will bleed money, clients, trust, and stability. Statistics: 2 out of 3 companies shut down within 6 months after a major data breach. The cost of recovery is hundreds of times higher than the ransom. Paying is faster. Cheaper. Safer. Your reputation took years to build. It takes minutes to destroy. Read more about the GDRP legislation:: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr.eu/what-is-gdpr/ https://gdpr-info.eu/ -------------------------------------------- How to Contact Us --------------------------------------------- >>> Using qTox Chat App Our qTox ID: 038F61A270B8094E713E4815C4FA5086E4AD3A021575C6F90EE65A0C123D3E3BF6926C3B59EA Our qTox ID: 8D663FD10BF662930F4C076CBF95FACFCC4ABD8F1A5E328DE75D0B0237A74E1AE1E0C5C37E7F >>> Using Tor Browser: 1. Download Tor Browser: https://www.torproject.org/ 2. Install Tor Browser: • Windows: Run the installer, launch Tor Browser, and click Connect. • macOS: Open the downloaded .dmg file, drag Tor Browser to Applications, launch it, and click Connect. • Linux: Extract the downloaded package, run ./start-tor-browser.desktop, and click Connect. • Android: Install from Google Play or torproject.org, open the app, and tap Connect. • iOS (iPhone): Install Onion Browser from the App Store, open it, and tap Connect. 3. Access the under link once connected. http://nspire7lugml7ybqyjaaxtsgrs4qn3fcon3lrjbih6wamttvdm5ke4qd.onion Login with UUID "[snip]" and password "[snip]". 4. Also introduce you to our blog site where you can learn more about us through the link below. http://nspirep7orjq73k2x2fwh2mxgh74vm2now6cdbnnxjk2f5wn34bmdxad.onion/ >>> On Mail Proton Mail: [email protected] Onion Mail: [email protected] Contact us and verify with UUID "[snip]". ----------------------------------------------------- FAQ ------------------------------------------------------ Proof? Preview + Free sample decrypts. Safe tool? Universal, tested. Data gone? Solid proof. Future attacks? Pay = gone forever + fixes. Team NightSpire.

-Your sensetive data are stolen and encrypted! If you pay within 3 days, we will decrypt it and also, we will not public your data. After that we will public this situation and all data. -DO NOT MODIFY FILES YOURSELF. -DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. -YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. -YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT OUR HELP. CONTACT US: Onion Mail : [email protected] qTox ID: 3B61CFD6E12D789A439816E1DE08CFDA58D76EB0B26585AA34CDA617C41D5943CDD15DB0B7E6 http://a2lyiiaq4n74tlgz4fk3ft4akolapfrzk772dk24iq32cznjsmzpanqd.onion http://nspiremkiq44zcxjbgvab4mdedyh2pzj5kzbmvftcugq3mczx3dqogid.onion Send this message first "NSPIRE[snip]" when contact with us, so to make sure it's you.

Dear Management, If you are reading this message, it means that: - your network infrastructure has been compromised, - sensetive data was leaked, - files are encrypted -------------------------------------------------------------------------- The best and only thing you can do is to contact us to settle the matter before any losses occurs. Onion Site: http://nspireyzmvapgiwgtuoznlafqvlyz7ey6himtgn5bdvdcowfyto3yryd.onion Proton Mail: [email protected] -------------------------------------------------------------------------- 1. THE FOLLOWING IS STRICTLY FORBIDDEN 1.1 EDITING FILES. Renaming files could DAMAGE the cipher and decryption will be impossible. 1.2 USING THIRD-PARTY SOFTWARE. Trying to recover with any software can also break the cipher and file recovery will become a problem. -------------------------------------------------------------------------------------------------- 2. EXPLANATION OF THE SITUATION 2.1 WHAT HAPPENED We encrypted your workstations and servers to make the fact of the intrusion visible and to prevent you from hiding sensetive data leaks. We have already downloaded a huge amount of sensetive data and analyzed it. Now its fate is up to you, it will either be deleted or sold, or shared with the media. 2.2 VALUABLE DATA WE USUALLY STEAL: - Databases, legal documents, personal information. - Audit reports. - Audit SQL database - Any financial documents (Statements, invoices, accounting, transfers etc.). - Work files and corporate correspondence. - Any backups. - Confidential documents. 2.3 TO DO LIST (best practies) - Contact us as soon as possible. - Contact us only in our live chat, otherwise you can run into scammers. - Purchase our decryption tool and decrypt your files. There is no other way to do this. - Realize that dealing with us is the shortest way to success and secrecy. - Give up the idea of using decryption help programs, otherwise you will destroy the system permanently. - Avoid any third-party negotiators and recovery groups. They can become the source of leaks. -------------------------------------------------------------------------------------------------- 3. POSSIBLE DECISIONS 3.1 NOT MAKING THE DEAL - After 5 days starting tomorrow your leaked data will be Disclosed or sold. - We will also send the data to all interested supervisory organizations and the media. - Decryption key will be deleted permanently and recovery will be impossible. - Losses from the situation can be measured based on your annual budget. 3.2 MAKING THE WIN-WIN DEAL - You will get the only working Decryption Tool and the how-to-use Manual. - You will get our guarantees (with log provided) of non-recovarable deletion of all your leaked data. - You will get our guarantees of secrecy and removal of all traces related to the deal in the Internet. - You will get our security report on how to fix your security breaches. -------------------------------------------------------------------------------------------------- 4. HOW TO CONTACT US 4.1 Download and install TOR Browser https://torproject.org 4.2 Go to our contact form website at http://nspireyzmvapgiwgtuoznlafqvlyz7ey6himtgn5bdvdcowfyto3yryd.onion/contact.php 4.3 You can request sample files chat to review leaked data samples. 4.4 In case TOR Browser is restricted in your area use VPN services. 4.5 All leaked Data samples will be Disclosed in 7 Days if you remain silent. 4.6 Your Decryption keys will be permanently destroyed at the moment the leaked Data is Disclosed. -------------------------------------------------------------------------------------------------- 5. RESPONSIBILITY 5.1 Breaking critical points of this offer will cause: - Deletion of your decryption keys. - Immediate sale or complete Disclosure of your leaked data. - Notification of government supervision agencies, your competitors and clients. --------------------------------------------------------------------------------------------------

Hi, Your hotel is hacked! Your servers and files are locked and copied. =================================== REMEMBER! We also locked files in OneDrive. And we did not change the extensions of files in OneDrive. =================================== You cannot decrypt yourself without our key, even you're using third party software or from help of security companies. Please do not waste your time. Your files will be easily decrypted with pay. Never worry. We're waiting here with UUID [snip] Method * : [email protected] Method 1 : Our qTox ID 3B61CFD6E12D789A439816E1DE08CFDA58D76EB0B26585AA34CDA617C41D5943CDD15DB0B7E6 Method 2 : Browse our Onion Site with Tor Browser http://nspiremkiq44zcxjbgvab4mdedyh2pzj5kzbmvftcugq3mczx3dqogid.onion http://a2lyiiaq4n74tlgz4fk3ft4akolapfrzk772dk24iq32cznjsmzpanqd.onion We're waiting here with UUID [snip]