Decoding NightSpire: Ransomware IOCs Aren't Set in Stone

**Executive summary:** Huntress investigated NightSpire ransomware incidents in Dec 2025 and Mar 2026 that show RDP-based access, installation of remote-access tools (Chrome Remote Desktop, AnyDesk), use of Everything and 7-Zip for data staging, MEGASync for exfiltration, and subsequent file encryption (*.nspire) with ransom notes; the report includes SHA256 hashes, ransom note filenames, an email address, and an operations folder path as IoCs, and discusses whether NightSpire is run as a RaaS or by a closed actor given observed variation in TTPs.