VYPR
breachPublished Jul 16, 2026· 1 source

New Spirals Ransomware Achieves Full Network Compromise in Under 24 Hours

A nascent ransomware operation dubbed Spirals has demonstrated alarming speed, completing network intrusion, data exfiltration, and file encryption within a single day, posing a significant challenge to incident response.

A new ransomware threat actor, identified as Spirals, has emerged with a highly efficient attack methodology, capable of compromising an entire corporate network, exfiltrating data, and deploying its encryption payload in less than 24 hours. The operation was observed in June targeting an IT services firm in South Asia, with the initial access vector being a compromised Internet Information Services (IIS) server exposed to the public internet.

Following the initial breach, the Spirals operator quickly established a foothold by uploading an ASP.NET web shell. The attacker then proceeded to bypass User Account Control (UAC) mechanisms, enable Remote Desktop Protocol (RDP) for easier access, and create a local user account to ensure persistent access to the compromised environment. To further facilitate credential theft, the attacker dumped the SAM registry hive and memory from the LSASS process.

Symantec's Threat Hunter Team reported that the threat actor actively attempted to disable or remove security software present on the hosts. Lateral movement across the victim's network was achieved using Windows Management Instrumentation (WMI), reaching over a dozen additional systems. To maintain redundant access channels, the attacker deployed tools such as revsocks, Chisel, and Cloudflare tunnels, making it difficult to sever their connection.

In preparation for the encryption phase, a PowerShell payload was used to disable Microsoft Defender, remove its threat definitions, and halt services associated with critical backup, database, and virtualization products. This included prominent software like Veeam, VMware, Hyper-V, SQL Server, Oracle, and PostgreSQL, ensuring that data recovery would be significantly hampered.

The deployment of the Spirals ransomware payload, disguised as 'bitsadmin.exe' to mimic a legitimate Windows utility, commenced less than 24 hours after the initial compromise. The researchers noted that the attacker utilized PsExec, running with SYSTEM privileges, to distribute the ransomware across the network, encrypting files on all impacted machines.

Spirals is characterized as a Rust-based ransomware family. It employs AES-128 encryption for files, with the keys protected by an Elliptic Curve Diffie-Hellman (ECDH) public key controlled by the attacker. To expedite the encryption process, the ransomware utilizes intermittent encryption for files larger than 5MB, meaning it only encrypts portions of larger files.

Upon completion of the encryption, a ransom note named RECOVERY_SECTION.log is dropped onto the C:\ drive of each compromised system. This note provides instructions for victims on how to negotiate with the attackers. The Spirals actors threaten to publicly release the exfiltrated data within six days if the ransom demand is not met.

While Symantec has observed Spirals in only one documented case so far, it remains unclear whether this represents a widespread campaign or a custom-built payload for this specific incident. The inclusion of an extortion portal suggests potential for broader deployment. Symantec has shared network indicators and file hashes associated with the attack to aid organizations in defending against this rapidly evolving threat.

Synthesized by Vypr AI