NightSpire ransomware, first discovered in February 2025, presents a categorization challenge regarding whether it operates as Ransomware-as-a-Service (RaaS). Analysis of two incidents from December 2025 and March 2026 reveals significant variations in tactics, techniques, and procedures between attacks. The March 2026 incident involved threat actors installing Chrome Remoting Desktop and AnyDesk for persistence, using Everything and 7Zip for data staging, MEGASync for exfiltration, and deploying VMWare Workstation and WPS Office. The attacker accessed systems via RDP days before detection. Comparison with the December 2025 incident shows evolution in the ransomware encryptor, including modified ransom note filenames and contents. These variations in TTPs and indicators suggest either operational evolution or involvement of multiple affiliates, demonstrating that ransomware indicators aren't consistent across campaigns.