Skip to main content
Emerging ThreatsMalware & Ransomware

Spirals Ransomware Encrypts Network in Record Time

Rows of computer servers and networking equipment in a brightly-lit corporate server room.

Less than 24 hours elapsed from initial compromise to full network encryption in a June intrusion researchers attribute to a new ransomware actor called Spirals, a pace that compressed reconnaissance, credential theft, lateral movement and an encryption campaign into a single working day.

Initial entry: exposed IIS server and an uploaded ASP.NET web shell

Symantec's Threat Hunter Team says the attack began after the adversary compromised an Internet Information Services (IIS) server that was exposed to the public web and uploaded an ASP.NET web shell. From that foothold the operator moved quickly, taking immediate steps to raise privileges and establish access that would allow broad control over the environment.

Privilege escalation and credential harvesting

After obtaining initial access, the attacker bypassed User Account Control (UAC), enabled Remote Desktop, and created a local account to maintain persistence. Symantec reports the operator also dumped the SAM registry hive and the LSASS process memory in an attempt to extract credentials—classic post-exploitation steps executed at speed to support subsequent lateral movement.

Lateral movement, redundant channels, and execution as SYSTEM

Symantec investigators observed the threat actor use Windows Management Instrumentation (WMI) to move laterally to more than a dozen systems and attempt to remove security software on compromised hosts. The operator established multiple, redundant remote access channels, including revsocks, Chisel, and Cloudflare tunnels, and then deployed the ransomware payload across the network using PsExec running as SYSTEM. “The operator began deploying the ransomware payload across the victim’s network using PsExec running as SYSTEM,” the researchers explain.

Payload tactics: disabling defenses, stopping backup and database services, and fast encryption

Symantec reports a PowerShell payload that disabled Microsoft Defender, removed its threat definitions, and stopped services associated with 23 backup, database, and virtualization products—including Veeam, VMware, Hyper-V, SQL Server, Oracle, and PostgreSQL—in advance of encryption. The Spirals payload was named bitsadmin.exe, “likely to masquerade as the legitimate Windows utility associated with the Background Intelligent Transfer Service,” and was deployed less than 24 hours after the initial compromise.

Technically, Spirals is a Rust-based ransomware family that uses AES-128 keys protected by an attacker-controlled ECDH P-256 public key. To accelerate throughput the malware uses intermittent encryption for files larger than 5 MB. A ransom note named RECOVERY_SECTION.log is dropped on the C:\ drive with instructions to negotiate payment and a threat to publicly expose stolen data within six days unless paid.

Scope of observed activity and defensive indicators

Symantec observed Spirals in a single documented case involving an IT services firm in South Asia. The researchers caution that, because they have seen the family only once so far, it is unclear whether Spirals represents a new tool intended for broad cybercrime deployment or a bespoke payload written for this specific attack. To assist defenders, Symantec published network indicators and file hashes associated with the incident.

What this means for technologists, affected enterprises, and incident responders

  • Technologists and security teams: Expect attempts to disable endpoint protection and remove definitions, and look for rapid privilege escalation artifacts such as UAC bypasses, SAM and LSASS dumps, and use of PsExec and WMI for lateral movement.
  • Affected enterprises and procurement leaders: Services tied to backups, databases, and virtualization—Veeam, VMware, Hyper-V, SQL Server, Oracle, and PostgreSQL—were explicitly targeted; maintaining isolated backups and validated recovery procedures is essential given the attacker’s effort to stop those services.
  • Incident responders: Multiple redundant access channels (revsocks, Chisel, Cloudflare tunnels) and the use of a benign-seeming binary name (bitsadmin.exe) suggest both network telemetry and endpoint forensics are needed to detect artifacts that precede encryption within a compressed timeframe.

The speed and construction of this case leave a pointed question: can organizations detect and interdict an intrusion that progresses from web shell to system-wide encryption in under a day? Symantec’s publication of indicators and hashes gives defenders tangible artifacts to hunt for—yet the single observed case also leaves open whether Spirals will reappear as a widely distributed ransomware family or remain a one-off custom tool.

Original reporting: https://www.bleepingcomputer.com/news/security/new-spirals-ransomware-encrypts-victim-network-in-under-24-hours/