Nightspire CTI Report

NightSpire is a Go 1.24.11–compiled ransomware family that enumerates Windows volumes, spawns parallel goroutines (one per drive), and performs intermittent AES-256-CTR file encryption with per-file keys wrapped by an embedded RSA-4096 public key; the sample includes plaintext infrastructure strings (onion URLs, emails), a file-tail signature ("sNightspire"), and numerous IOCs and hunting queries to detect pre-encryption volume enumeration and mass .nspire file creation.