Ransomware victim disclosure

KFZ Sauter GmbH Co. KG

Claimed by NIGHT SPIRE · listed 18 hours ago

600 GB

Data size

Today

Age

since listed · listed for ransom

Status timeline

Listed
Jun 6, 2026

Current state: Listed for ransom

At a glance

Group: NIGHT SPIRE
Status: Listed for ransom
Country: Germany
Sector: Automotive
Listed on leak site: Jun 6, 2026
Data size: 600 GB

About the victim

AI dossier — public-source company profile

KFZ Sauter GmbH & Co. KG is a German automotive service company based in Bubesheim offering used vehicle sales, repair services for all car makes, used parts retail, and vehicle recycling compliant with environmental regulations.

Industry: Automotive Repair & Recycling
Address: Industriestraße 15–17, 89347 Bubesheim, Germany

Attack summary

Severity: medium — Claimed exfiltration of 600 GB including financial, HR, and banking data represents moderate-to-significant exposure. However, most proof files are marked unavailable, preventing verification of actual data compromise scope or sensitivity.

NIGHT SPIRE claims to have exfiltrated approximately 600 GB of data from KFZ Sauter. The leak post lists financial documents, HR data, banking records, employee information, and business contracts, but most proof links are marked 'Data is not available now.'

medium

Data the group says was taken

AI dossier — extracted from the leak post

Financial & Banking Records
HR & Employee Personal Data
Accounting & Tax Records
Contracts & Invoices
QuickBooks Files
Business Strategy Documents
MSSQL Database
Scanned Tax Returns
Email & SMS Data
Customer/Supplier Information

The leak post

captured from the group's site

- Financial Documents- HR Data- Supervisor's Information
Data is not available now.
Data is not available now.
Data is not available now.
[la familia adualt day center](http://www.lafamiliaadultdaycenter.com)
Data is not available now.
Data is not available now.
- QuickBooks Files- Scanned tax returns- Proposal, Contrats- QuickBooks automated backups
- Banking & Financial Records- Personal data- Critical POS Data
- Banking & Financial Data- Accounting & Tax Records
- Financial & Accounting Records- Human Resources- Sales & Marketing
- Sales Related Documents- Human Resources- Sensitive Employee Records- Email and SMS Data
Data is not available now.
- Technical Documents- Financial Sheets- Contracts & Invoices- Business strategy files
- MSSQL-DB- HR Documents- Contracts
Data is not available now.
[Progressive Oral Surgery & Implantology](http://nspirep7orjq73k2x2fwh2mxgh74vm2now6cdbnnxjk2f5wn34bmdxad.onion/progressiveoralsurgery.com)
- Patients Information Records- Financial Records
[The Country Club of Darien](http://nspirep7orjq73k2x2fwh2mxgh74vm2now6cdbnnxjk2f5wn34bmdxad.onion/CCDarien.org)
- Sales / agent / commercial operations- Industrial / manufacturing / tooling business dat…

Data the group says was taken

Banking Finance
Accounting Buchhaltung
Contracts Legal
GDPR Personal Data
Documents Images

Screenshot of the leak post

Leak screenshot for KFZ Sauter GmbH Co. KG

Sources

Victim sitehttps://kfz-sauter.com/
Leak posthttp://nspirep7orjq73k2x2fwh2mxgh74vm2now6cdbnnxjk2f5wn34bmdxad.onion/database

Source

Indexed 18 hours ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About NIGHT SPIRE

NIGHT SPIRE is a ransomware group first observed in June 2026 with an apparent primary motivation of financial gain, having claimed at least 14 known victims across multiple continents within a relatively short operational window. Given the group's recent emergence and limited public documentation by major threat intelligence organizations such as CISA, FBI, or Mandiant at this time, a comprehensive technical profile cannot be fully established from open sources. Their targeting pattern, based on available victim data, reflects a geographically diverse focus spanning the United States, Singapore, Brazil, Panama, and Spain, suggesting either an opportunistic targeting approach or a deliberate strategy to operate across jurisdictions that complicate law enforcement coordination. The sectors most frequently impacted include Healthcare, Recruitment and Staffing, Hospitality and Recreation, Commerce and Trade, and Automotive, indicating the group likely targets organizations perceived as having lower cybersecurity maturity or higher operational pressure to restore services quickly, both of which increase ransom payment likelihood. No confirmed affiliations to known ransomware-as-a-service ecosystems, nation-state actors, or predecessor groups have been publicly documented as of this writing. NIGHT SPIRE's operational status as of mid-2026 reflects an active and emerging threat actor, and the breadth of their targeting across critical and commercially sensitive sectors warrants continued monitoring by defenders, particularly those operating in the identified high-risk verticals and geographies. The group has been linked to 14 public disclosures across our corpus. First observed on a leak site on June 6, 2026. The operation is currently active.

Also tracked as: nightspire.

Timeline of this disclosure

June 6, 2026KFZ Sauter GmbH Co. KG listed by NIGHT SPIREon the group's public leak site

Data size: 600 GB

KFZ Sauter GmbH Co. KG

Status timeline

At a glance

About the victim

Attack summary

Data the group says was taken

The leak post

Data the group says was taken

Screenshot of the leak post

Sources

Source

Is this your supplier? Your competitor? You?

Disclosure context

About NIGHT SPIRE

Timeline of this disclosure

Other recent disclosures by NIGHT SPIRE

Sector and geography