New 'Spirals' Ransomware Strikes with Lightning Speed, Encrypting Networks in Under 24 Hours
A new and highly aggressive ransomware variant, dubbed **Spirals**, has emerged, demonstrating the ability to compromise corporate networks, exfiltrate data, and encrypt systems in less than 24 hours. This rapid execution highlights a significant threat, particularly for IT services firms and organizations with publicly exposed Internet Information Services (IIS) servers.
# New 'Spirals' Ransomware Strikes with Lightning Speed, Encrypting Networks in Under 24 Hours

A new ransomware actor, identified as **Spirals**, has executed a full corporate intrusion β from initial access to data theft and encryption β in a remarkably short timeframe, under 24 hours.
## The Rapid Attack Vector
The incident, which occurred in June, targeted an IT services firm in South Asia. The initial compromise stemmed from a publicly exposed **Internet Information Services (IIS)** server. Researchers at **Symantec**'s Threat Hunter Team detailed the swift progression of the attack.
Upon gaining initial access, the **Spirals** operator uploaded an **ASP.NET** web shell, quickly establishing a foothold within the target network.
## Bypassing Defenses and Establishing Persistence
The attacker moved with precision, bypassing **User Account Control (UAC)**, enabling **Remote Desktop**, and creating a local account to ensure persistent access. Credential harvesting attempts were also made, with the attacker dumping the **SAM** registry hive and **LSASS** process memory.
**Symantec** investigators further noted attempts to disable security software on the hosts. Lateral movement was facilitated using **WMI** (Windows Management Instrumentation) across more than a dozen systems. Redundant remote access channels were established utilizing tools like **revsocks**, **Chisel**, and **Cloudflare** tunnels.
## Pre-Encryption Preparations
A malicious **PowerShell** payload was deployed to disable **Microsoft Defender**, remove its threat definitions, and halt services associated with 23 different backup, database, and virtualization products. This included critical systems such as **Veeam**, **VMware**, **Hyper-V**, **SQL Server**, **Oracle**, and **PostgreSQL**, all in preparation for the final encryption stage.
## The Encryption Phase
The **Spirals** ransomware payload, masquerading as `bitsadmin.exe` (likely to mimic the legitimate Windows Background Intelligent Transfer Service utility), was deployed less than 24 hours after the initial compromise. The operator used **PsExec** running as `SYSTEM` to spread the payload across the victimβs network, encrypting files on affected machines.
## Technical Deep Dive into Spirals Ransomware
**Spirals** is a **Rust-based** ransomware family. It employs **AES-128** keys, which are protected by an attacker-controlled **ECDH P-256** public key. To accelerate the encryption process, **Spirals** utilizes intermittent encryption for files larger than 5MB.
A ransom note, named `RECOVERY_SECTION.log`, is dropped on the `C:\` drive, providing instructions for victims to initiate negotiations. The attackers enforce a strict six-day deadline, threatening public exposure of stolen data if the ransom is not paid.
## Outlook and Mitigation
Despite the clear extortion portal, **Symantec** has observed **Spirals** in only a single case so far. This leaves open the question of whether this new family is intended for broader cybercrime deployment or if it was a custom payload developed specifically for the attack on the IT services firm.
**Symantec**'s report includes network indicators and file hashes associated with the documented **Spirals** attack. Organizations are urged to review these indicators and bolster their defenses against this rapidly evolving threat group.