Secure Bulletin Navigating the cyber sea with knowledge
Home > Articolo > Spirals Ransomware: From First Foothold to Full Encryption in Under 24 Hours
Spirals Ransomware: From First Foothold to Full Encryption in Under 24 Hours
Read Time:3 Minute, 24 Second

A previously unseen ransomware strain named “Spirals” struck an IT services company in South Asia in June 2026, and according to Symantec’s Threat Hunter Team, the attackers went from initial compromise to full network encryption in under 24 hours. The Rust-based payload appears to be either brand new or purpose-built specifically for this single attack, and the group behind it remains unidentified.

A Fast-Moving Intrusion

The attack began at 22:21 local time on June 16, when the intruders compromised an internet-facing IIS web server and uploaded an ASP.NET web shell. Within minutes, they had deployed three separate tunneling tools — including Chisel, disguised as chrome.exe, alongside a Cloudflare tunnel client — to establish redundant, covert communication channels back to their infrastructure. A token impersonation tool followed almost immediately, likely enabling the privilege escalation that came next.

During a focused, roughly three-hour hands-on-keyboard session, the operator spawned command shells through the IIS worker process, bypassed User Account Control, enabled Remote Desktop Protocol, created a persistent local account, and dumped the SAM hive. By 23:07 the attackers were already working to disable security tooling on the compromised host.

From One Server to a Dozen in Minutes

At 23:33, the attackers pivoted to WMI-based lateral movement, and using compromised domain administrator credentials, hit more than a dozen machines within minutes. That pace strongly suggests automated, pre-planned targeting rather than manual, exploratory hacking.

The following day, June 17, the group shifted to PsExec as its primary deployment mechanism. Starting around 14:12, a single compromised host pushed an identical base64-encoded PowerShell payload out to network targets every few seconds for roughly 30 minutes straight. That payload immediately disabled Windows Defender’s real-time protection and forcibly stopped more than 20 critical backup, database, and virtualization services — including Veeam, VMware, SQL Server, and Exchange — clearing open file handles ahead of the encryption run.

Encryption Disguised as a System Utility

The ransomware binary itself was named bitsadmin.exe, mimicking a legitimate Windows utility, and was staged in multiple network locations — including the SYSVOL domain scripts directory — ensuring it would propagate automatically even to machines the PsExec script hadn’t directly targeted.

Spirals is described as a full-featured, Rust-based encryptor with built-in defense evasion, automated lateral movement, process termination, and privilege escalation capabilities. Its cryptographic design uses per-file AES-128 keys to lock file contents, wrapped by an attacker-controlled ECDH P-256 public key, with an intermittent-encryption trick that only touches jittered chunks of files larger than 5MB to speed up the locking process.

The Ransom Note

Once encryption completed, the ransomware dropped a note at C:\RECOVERY_SECTION.log across affected systems, threatening to publicly leak stolen corporate data within six days if the victim didn’t pay. The note directed the victim to a Tor-based negotiation portal that explicitly identifies the threat family as “Spirals.”

A Single Victim, But a Clear Warning Sign

Spirals has only been tied to one confirmed victim so far, but the operational discipline on display — layered tunneling infrastructure, credential harvesting via LSASS memory dumps using rundll32.exe and comsvcs.dll, and domain-wide propagation through SYSVOL — points to a highly capable actor that could scale this playbook quickly. Symantec’s indicators of compromise include a staging server at 185.141.216.194 along with two additional domains used to host malicious payloads.

Recommended Defenses

Organizations running internet-facing IIS servers should treat this as a priority. Recommended steps include the following:

  • Web shell detection: Monitor internet-facing web servers for unauthenticated ASP.NET file modifications or unexpected process creation originating from IIS worker processes.
  • Behavioral auditing: Alert on anomalous WMI and PsExec activity, particularly rapid, sequential connection attempts spreading across internal network segments.
  • Credential protection: Harden endpoints against LSASS memory dumping and tightly restrict where domain administrator credentials can be used, especially on non-domain-controller systems.

Given how quickly Spirals moved from a single web shell to a fully encrypted network, organizations should assume that detection windows for similarly automated ransomware campaigns are now measured in minutes, not days.

Share: Twitter  |  Facebook  |  LinkedIn
Join the discussion

This is a blog in the Fediverse: you can find this article everywhere with @blog@securebulletin.com and every comment/answer will appear here.

If you want to comment on Spirals Ransomware: From First Foothold to Full Encryption in Under 24 Hours, use the discussion on Forum.

>> forum community

Comments

Leave a Reply