Nightspire Ransomware Hits Indian Paper Manufacturer Balkrishna

The Nightspire ransomware group has claimed responsibility for a cyberattack against Balkrishna Paper Mills LTD (bpml.in), a leading paper manufacturing company in India. On November 25, 2025, the group published an extortion notice stating that it would leak sensitive data unless company representatives engaged in negotiations, mapping to MITRE ATT&CK T1486 (Data Encrypted for Impact) and T1659 (Data Exfiltration for Impact). Public leak site postings suggest that at least part of the victim’s internal data has been accessed and is being used for leverage. While technical intrusion details remain limited, Nightspire follows the now-standard double-extortion model: compromise, data theft, encryption, then public shaming if payment is not made. Manufacturing organizations like Balkrishna Paper Mills are particularly vulnerable to operational disruption, as production lines, logistics systems, and supplier integrations often depend on legacy OT and IT environments with uneven security maturity. Without confirmed details, it is reasonable to assume attackers targeted exposed services, stolen credentials, or vulnerable remote access pathways as initial access points — patterns consistent with broader ransomware trends. From a business perspective, Balkrishna faces potential downtime, supply chain disruption, and reputational damage in both domestic and export markets. If sensitive data such as contracts, financials, or HR records is leaked, there may also be legal and regulatory consequences under Indian privacy and data protection frameworks, as well as contractual penalties with customers. For peers in the pulp and paper sector, Nightspire’s choice of target reinforces that mid-sized industrial firms with limited security budgets are squarely in scope for modern ransomware operations. Recommended actions for similar organizations include immediate review of external exposure (VPNs, RDP, remote maintenance portals), hardening of backups with offline and immutable copies, and improved monitoring for lateral movement from compromised user accounts. Ransom negotiations should be handled alongside legal counsel and experienced incident responders, with a clear policy on ransom payment aligned to regulatory and ethical considerations. Longer term, manufacturing firms should classify OT and ERP systems as critical assets, implement network segmentation, and integrate threat intelligence feeds for early warning of sector-specific targeting.