Three ransomware gangs behind surge that hit U.S. firms and professional services

Three ransomware groups — NightSpire, Vect and PEAR — produced a concentrated spike in disclosed attacks on Feb. 28 that accounted for more than half of newly reported victims, according to a Purple Ops daily threat intelligence roundup. The report cataloged dozens of new claims that day, with professional services firms and U.S.-based organizations among the hardest hit.

Purple Ops, which compiles newly disclosed ransomware incidents, flagged the unusual concentration as notable both for its speed and its sectoral focus. Rather than a scattershot set of opportunistic intrusions, the activity suggested coordinated or parallel campaigns that amplified disruption by repeatedly targeting firms that provide legal, financial and consulting services. Those providers often hold client data across sectors, multiplying the downstream risk from a single successful breach.

Ransomware operators have long relied on a mixture of data encryption and doxxing to pressure victims; the Feb. 28 spike intensified the pressure on incident response and insurance markets already strained by frequent intrusions. For professional services firms, consequences can include halted client work, regulatory disclosure requirements, loss of privileged communications and damage to client trust. For many U.S. organizations, exposure carries potential state and federal reporting obligations that can trigger investigations and fines.

Security analysts tracking the surge cautioned that a consolidated set of active groups can be more disruptive than the same number of lone actors. When a small number of prolific operators dominate public disclosures, defenders face repeated encounters with similar tool sets, negotiation practices and leak sites, increasing the likelihood of successful extortion and of knock-on effects across supply chains. The Purple Ops roundup underscored how quickly such patterns can emerge and affect a wide geography and industry cluster in a single day.

The spike also has immediate market effects. Incident response firms and cyber insurers often operate on limited capacity, and a sudden influx of high-priority cases can lengthen response times and raise costs for affected companies. Longer lead times for remediation increase the window for data exfiltration, complicating efforts to contain secondary damage such as identity theft or targeted follow-on attacks.

Beyond near-term operational strain, concentrated campaigns raise questions for policy and public-private coordination. Regulators are increasingly focused on systemic risk in cyber insurance and on whether disclosure and liability rules sufficiently nudge firms toward resilient designs, such as zero-trust architectures and immutable backups. The February 28 pattern illustrates another challenge: attackers who focus on intermediaries can weaponize trust relationships, reaching sectors that are otherwise well defended.

For corporate cybersecurity leaders, the Purple Ops findings are a reminder to treat vendor and client-facing systems as high-value attack surfaces. Strengthening network segmentation, accelerating multifactor authentication rollouts, and rehearsing breach response playbooks remain practical steps to reduce business interruptions. For the wider public, the day’s concentrated activity is a reminder that ransomware is not solely a technology problem but a business continuity and governance risk that can ripple through courts, accounting records and everyday services.