336-886-3282[email protected]
Preferred Data Logo
Schedule

NightSpire Ransomware Hits Manufacturers: NC SMB Defense 2026

NightSpire ransomware claims 259 SMB victims via Fortinet CVE-2024-55591. NC manufacturer defense, patch, and recovery plan. (336) 886-3282.

Cover Image for NightSpire Ransomware Hits Manufacturers: NC SMB Defense 2026

TL;DR: NightSpire ransomware claimed 259 victims across 33 countries between February 2025 and May 2026, per Barracuda's May 2026 threat profile and Halcyon's NightSpire dossier. The crew runs a double-extortion playbook, demands ransoms of $150,000 to $2 million, and primarily targets SMBs with fewer than 1,000 employees in manufacturing, technology, and construction. Initial access is overwhelmingly Fortinet CVE-2024-55591 (FortiOS / FortiProxy authentication bypass) plus RDP brute-force. NC manufacturers, construction firms, and industrial SMBs are squarely inside the target profile.

Key takeaway: NightSpire is not a sophisticated nation-state crew. It is a fast-learning, opportunistic gang that monetizes the same three SMB mistakes every quarter: unpatched FortiOS appliances, exposed RDP, and weak SMB credential hygiene. NC manufacturers that close those three doors before the next NightSpire scan window do not become a victim post on the leak site.

Need your edge appliances patched and your RDP exposure audited this week? Preferred Data Corporation runs managed cybersecurity for NC manufacturers since 1987. Call (336) 886-3282 or book a ransomware posture review.

Who is NightSpire and why does it matter to NC SMBs?

NightSpire is a financially-motivated double-extortion ransomware group first observed in February 2025 and tracked as a likely rebrand of Rbfs. Per SOCRadar's NightSpire profile and Barracuda, the group's growth curve is a direct match for an NC SMB owner's worst-case scenario:

  • 259 named victims across 33 countries between February 2025 and May 1, 2026, per Barracuda.
  • 74 victims posted to the leak site in Q1 2026 alone, per SOS Ransomware's NightSpire profile.
  • SMBs under 1,000 employees are the dominant share of named victims, per the Halcyon NightSpire dossier.
  • Manufacturing, technology, and construction are the three most-named verticals, per Barracuda - a direct overlap with NC's Piedmont Triad industrial base.

For an NC manufacturer in High Point, a distributor in Greensboro, or a construction GC in Charlotte, NightSpire is the realistic 2026 threat profile, not a hypothetical APT scenario. The group's ransom range of $150,000 to $2 million, per DeXpose's NightSpire incident analysis, is calibrated to what an SMB will actually pay - which is why insurers and incident-response retainers see NightSpire engagements every quarter.

How does NightSpire get inside an SMB network?

Per Picus Security's CVE-2024-55591 analysis and SOCRadar, NightSpire's primary initial access is exploitation of FortiOS / FortiProxy CVE-2024-55591, an authentication bypass that grants unauthenticated attackers super-admin privileges on the firewall itself. The secondary access vectors are RDP brute-force on internet-exposed Windows hosts and phishing.

Initial Access MethodWhat NightSpire ExploitsNC SMB Realistic Exposure
FortiOS / FortiProxy CVE-2024-55591Auth bypass in management interface; super-admin from internetUnpatched FortiGate at perimeter
RDP brute-forceDefault ports, weak passwords, no MFAOffice or plant-floor remote-access RDP
Phishing + AiTMStolen credentials and MFA token captureM365 / Google Workspace mailboxes
Living-off-the-land lateral movementPowerShell, PsExec, WMI inside the domainFlat AD with admin sprawl

Per Picus, Fortinet disclosed CVE-2024-55591 on January 14, 2025, but exploitation traced back to November 2024. Hundreds of thousands of internet-facing devices were vulnerable at disclosure time. NC SMBs that still have FortiGate appliances on FortiOS 7.0.0 through 7.0.16 or FortiProxy 7.0.0 through 7.0.19 / 7.2.0 through 7.2.12 without a firmware update are the same population NightSpire scans.

What does a NightSpire incident look like for an NC manufacturer?

It looks like a four-stage compression of a textbook ransomware attack. Per Provendata's NightSpire technical breakdown and SOCRadar, the stages are:

  1. Initial access via FortiOS auth bypass. The crew gains super-admin on the FortiGate, pivots through the firewall to an internal Windows host, and lands a foothold. In an NC plant-floor environment, this is often a flat network where the firewall is also the bridge to OT segments.
  2. Lateral movement via living-off-the-land tools. PowerShell, PsExec, and WMI are used to map AD, dump credentials, and reach the file servers, ERP database, and backup server. NightSpire avoids custom malware to stay below EDR signatures.
  3. Data exfiltration before encryption. Per Barracuda, NightSpire pulls hundreds of GB of corporate data to attacker-controlled storage before the ransomware payload runs. For an NC manufacturer, that means CAD files, customer pricing, ERP records, HR PII, and (for defense contractors) potentially CUI.
  4. Encryption + leak site post. The crew encrypts production workloads, deletes accessible backups, and posts the victim to the NightSpire leak site to apply public-pressure extortion. The ransom demand ranges from $150,000 for a smaller SMB to $2 million for a larger plant-floor environment.

Quotable definition: A NightSpire attack on an NC SMB is a 7-to-30-day operation that ends with two extortion levers: encrypted production and a public-leak countdown. The crew's economic model only works because most SMB victims lack one or more of: patched edge, immutable backup, EDR with PowerShell logging, and a tested incident response retainer.

What should an NC SMB do this week to prevent a NightSpire incident?

Close NightSpire's three favorite doors with a four-step plan inside the next 14 days.

  1. Patch FortiOS / FortiProxy to the CVE-2024-55591 fixed builds (today). Per Picus, fixed FortiOS builds are 7.0.17+ (7.0.x line), 7.2.13+ (7.2.x), and the 7.4.x / 7.6.x lines. NC SMBs that cannot validate firmware in-house should request a managed-firewall posture review.
  2. Lock down RDP and management-plane exposure (this week). Pull RDP off the internet, put it behind a VPN with MFA or a Zero Trust gateway, and enforce account-lockout policies. Disable management-plane access on the WAN-side of every edge appliance.
  3. Deploy EDR with PowerShell / PsExec / WMI detection (this month). Microsoft Defender for Business, CrowdStrike Falcon Go, or SentinelOne Singularity Control catch the living-off-the-land patterns NightSpire uses for lateral movement. Pair the EDR with a managed SOC that responds 24/7.
  4. Verify immutable backups + incident-response retainer (this month). Veeam Hardened Repository, object-lock S3, or offline tape are the tiers NightSpire cannot delete from inside the network. Pair the immutable tier with an IR retainer so the first 48 hours of an incident are not spent shopping for a responder.

Key takeaway: NightSpire's economic model collapses against a small-business posture of "patched edge + RDP behind MFA + EDR with PowerShell logging + immutable backup + IR retainer." Every NC SMB without all five controls is currently a target of opportunity.

How does Preferred Data Corporation help NC manufacturers defend against NightSpire?

PDC runs managed cybersecurity for NC SMBs with edge hardening, EDR/MDR, immutable backup, and 24/7 SOC coverage. We bring three things to the NightSpire threat profile:

  • Managed cybersecurity services: FortiOS / FortiProxy patch management, KEV-rate edge updates, EDR with PowerShell and PsExec detection, identity hardening, and managed Microsoft Defender for Business deployment for NC SMBs.
  • Managed IT services: RDP eradication, MFA roll-out, AD tier-zero hardening, immutable backup design (Veeam Hardened Repository, object-lock S3), and incident response retainer with 1-hour engagement SLA.
  • Network and infrastructure: Edge firewall replacement and migration for unpatched FortiGate fleets, OT / IT segmentation for NC manufacturers in the Piedmont Triad, and Zero Trust remote access for plant-floor and field-services workforces.

For NC manufacturers in High Point and the Piedmont Triad, NC distributors in Greensboro and Winston-Salem, NC construction firms in Charlotte and Raleigh, and NC defense contractors handling CUI, NightSpire is not a hypothetical. It is the most-named SMB ransomware crew of 2026.

Need help closing NightSpire's three favorite doors this week? Call (336) 886-3282 or book a ransomware posture review.

Frequently Asked Questions

What is NightSpire ransomware?

NightSpire is a financially-motivated double-extortion ransomware group first observed in February 2025 and tracked as a likely rebrand of Rbfs ransomware. Per Barracuda and SOCRadar, the group claimed 259 named victims across 33 countries by May 1, 2026, primarily targeting SMBs in manufacturing, technology, and construction.

How does NightSpire get into a small business network?

Per Picus Security's analysis, NightSpire's primary initial access is exploitation of Fortinet CVE-2024-55591, a FortiOS / FortiProxy authentication bypass that grants unauthenticated super-admin access. Secondary vectors are RDP brute-force on internet-exposed Windows hosts and phishing. Once inside, the crew uses PowerShell, PsExec, and WMI for lateral movement.

How much does NightSpire demand from SMB victims?

Per DeXpose's NightSpire incident analysis and SOCRadar, NightSpire demands ransoms from $150,000 to $2 million depending on victim size. The ranges are calibrated to what an SMB realistically pays, which is why the group continues to scale - victims at this price point are common enough to sustain the operation.

How does an NC manufacturer patch Fortinet CVE-2024-55591?

Upgrade FortiOS to 7.0.17 or later on the 7.0.x line, 7.2.13 or later on the 7.2.x line, or move to a supported 7.4.x / 7.6.x build. Per Picus, the same disclosure also affects FortiProxy on the 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 branches. Restrict management-plane access to a defined admin source IP or VPN-only path as a defense-in-depth control.

What industries does NightSpire target most?

Per Barracuda, manufacturing, technology, and construction appear most frequently among NightSpire victims. This profile directly overlaps NC's Piedmont Triad industrial base, with High Point furniture and textile manufacturers, Greensboro logistics and distribution, Charlotte construction GCs, and Winston-Salem industrial firms all matching the targeting criteria.

Is NightSpire a CMMC-relevant threat for NC defense manufacturers?

Yes. A NightSpire double-extortion attack on a CUI-handling NC defense manufacturer would constitute a reportable incident under DFARS 7012 (72-hour DoD CYBER reporting) and would directly exercise CMMC Level 2 incident-response, access-control, and patch-management controls. NC defense contractors should treat FortiOS patching, RDP eradication, and EDR deployment as CMMC SSP evidence, not optional hardening.

Support