New Spirals ransomware encrypts networks in under 24 hours

▼ Summary
– The Spirals ransomware actor completed a corporate intrusion, from initial access to data theft and encryption, in less than 24 hours, targeting an IT services firm in South Asia in June.
– The attacker gained initial access by compromising an exposed IIS server, then uploaded an ASP.NET web shell and bypassed User Account Control (UAC) to enable Remote Desktop and create a persistent local account.
– The threat actor used WMI to move laterally to over a dozen systems, established redundant remote access via revsocks, Chisel, and Cloudflare tunnels, and attempted to extract credentials by dumping the SAM registry hive and LSASS process memory.
– A PowerShell payload disabled Microsoft Defender and stopped services for 23 backup, database, and virtualization products like Veeam, VMware, and SQL Server, preparing for encryption.
– Spirals is a Rust-based ransomware that uses AES-128 keys protected by an ECDH P-256 public key, employs intermittent encryption for files over 5MB, and threatens to expose stolen data within six days if a ransom is not paid.
A newly identified ransomware strain, Spirals, has demonstrated alarming speed by completing a full corporate intrusion cycle in under 24 hours. The operation spanned from initial access to data theft and final file encryption.
The breach took place in June, targeting an IT services company based in South Asia. According to researchers from Symantec’s Threat Hunter Team, the attacker gained entry by compromising a publicly exposed Internet Information Services (IIS) server. Once inside, the operator uploaded an ASP. NET web shell and began moving with remarkable efficiency.
After securing initial access, the threat actor bypassed User Account Control (UAC), enabled Remote Desktop, and created a local account to ensure persistent access. The attacker also attempted to extract credentials by dumping the SAM registry hive and LSASS process memory. Symantec investigators note that the operator tried to remove security software from compromised hosts, used WMI to move laterally across more than a dozen systems, and established redundant remote access channels using tools like revsocks, Chisel, and Cloudflare tunnels.
In a critical step before encryption, a PowerShell payload disabled Microsoft Defender, erased its threat definitions, and halted services linked to 23 backup, database, and virtualization products. This included major platforms such as Veeam, VMware, Hyper-V, SQL Server, Oracle, and PostgreSQL.
The actual deployment of the Spirals payload, disguised as `bitsadmin.exe`, occurred less than 24 hours after the initial compromise. Symantec explains that the operator used PsExec running as SYSTEM to push the ransomware across the victim’s network. The filename was chosen to mimic the legitimate Windows utility for the Background Intelligent Transfer Service.
Spirals is built on Rust and encrypts files using AES-128 keys protected by an attacker-controlled ECDH P-256 public key. To speed up the process, the ransomware employs intermittent encryption for files larger than 5MB. A ransom note named `RECOVERY_SECTION.log` is placed on the C:\ drive, containing payment instructions. Victims are threatened with public exposure of stolen data within six days unless the ransom is paid.
Despite the presence of an extortion portal, Symantec has only observed Spirals in this single incident so far. It remains unclear whether this new family is designed for broad cybercrime use or if it was a custom payload tailored specifically for the attack on the South Asian IT services firm. To help organizations defend against this threat, Symantec’s report includes network indicators and file hashes associated with the documented Spirals attack.
(Source: BleepingComputer)