Researchers have identified a previously unseen ransomware family called Spirals, which was used in a targeted attack against an IT services company in South Asia during June 2026.
According to Symantec's Threat Hunter Team, the attackers moved from initial access to full-scale network encryption in less than 24 hours, demonstrating a highly coordinated and disciplined intrusion.
The ransomware is written in Rust and appears to be either a completely new malware family or a custom-built encryptor developed specifically for this operation.
Attack Timeline
The intrusion began on June 16, 2026, when attackers compromised an internet-facing Microsoft IIS server and deployed an ASP.NET web shell.
Initial Access
June 16, 22:21
Attackers:
- Compromised IIS web server
- Uploaded ASP.NET web shell
- Established persistence
- Created covert communication channels
Within minutes, multiple tunneling tools were deployed.
Tunneling Infrastructure
- Chisel (disguised as
chrome.exe) - Cloudflare Tunnel client
- Additional tunneling utility
This provided redundant command-and-control pathways while helping evade detection.
Privilege Escalation and Persistence
During a three-hour hands-on-keyboard session, attackers executed:
cmd.exepowershell.exe
via the IIS worker process.
Additional activity included:
- UAC bypass
- Remote Desktop Protocol (RDP) activation
- Local administrator account creation
- SAM database extraction
- Security tool tampering
By 23:07, attackers had already begun disabling security controls.
Rapid Lateral Movement
At approximately:
23:33
the operators began moving laterally through the environment.
Techniques Used
- WMI execution
- Domain administrator credentials
- Automated host targeting
Researchers observed more than a dozen systems compromised within minutes.
The speed and consistency of the activity suggest pre-planned automation rather than manual reconnaissance.
PsExec-Based Mass Deployment
On June 17, attackers transitioned to PsExec for enterprise-wide ransomware deployment.
Starting around:
14:12
a compromised host pushed an identical Base64-encoded PowerShell payload across the network every few seconds for roughly 30 minutes.
The deployment script immediately:
- Disabled Microsoft Defender
- Disabled real-time protection
- Stopped backup services
- Stopped database services
- Stopped virtualization services
Services Targeted Before Encryption
The malware attempted to terminate services associated with:
- Veeam
- VMware
- Microsoft SQL Server
- Microsoft Exchange
- Backup applications
- Virtualization platforms
This ensured files were unlocked and available for encryption.
Disguised Malware Deployment
The ransomware payload was named:
bitsadmin.exe
to resemble a legitimate Windows utility.
Attackers staged the payload in multiple locations throughout the environment.
One notable location was:
SYSVOL
which allowed automatic distribution across domain-joined systems.
Spirals Ransomware Technical Details
Spirals is a fully featured ransomware platform incorporating:
- Privilege escalation
- Defense evasion
- Process termination
- Lateral movement
- Automated deployment
Encryption Architecture
| Component | Implementation |
|---|---|
| Symmetric Encryption | AES-128 per file |
| Key Protection | ECDH P-256 public key |
| Optimization | Intermittent chunk encryption |
The ransomware uses partial encryption for files larger than 5 MB to significantly increase encryption speed while maintaining impact.
Data Theft and Extortion
The operation follows a double-extortion model.
A ransom note is dropped as:
C:\RECOVERY_SECTION.log
Victims are threatened with public release of stolen corporate data if payment is not made.
Extortion Window
6 Days
The note directs victims to a Tor-based negotiation portal that explicitly identifies the threat group as:
Spirals
Credential Theft Activity
Researchers observed credential harvesting using:
rundll32.exe
comsvcs.dll
to dump LSASS memory.
This technique is commonly used to obtain:
- Domain credentials
- Administrative passwords
- Kerberos tickets
- Service account credentials
Infrastructure Identified
Symantec identified infrastructure associated with the operation.
Staging Server
185.141.216[.]194
Researchers also identified compromised domains used to host malicious payloads and facilitate deployment.
Indicators of Attack
Security teams should monitor for:
IIS Activity
- Unexpected ASP.NET files
- New web shells
- IIS spawning PowerShell
- IIS spawning cmd.exe
Lateral Movement
- WMI execution
- PsExec activity
- Rapid host-to-host connections
Credential Access
- LSASS memory access
- rundll32 + comsvcs.dll execution
- SAM hive access
Ransomware Staging
- Suspicious executables named
bitsadmin.exe - Files copied into SYSVOL
- Defender configuration changes
Recommended Defensive Actions
Web Server Monitoring
Monitor internet-facing IIS servers for:
- Unauthorized ASP.NET uploads
- New web shell deployments
- Abnormal worker process activity
Lateral Movement Detection
Generate alerts for:
- PsExec execution
- WMI execution
- Rapid internal host scanning
Credential Protection
- Restrict Domain Admin usage
- Enable Credential Guard
- Monitor LSASS access attempts
- Prevent credential dumping
Backup Protection
- Isolate backup infrastructure
- Protect backup credentials
- Monitor service termination attempts
Key Takeaway
Although Spirals ransomware has only been observed in a single attack so far, the operation demonstrates a mature and highly capable threat actor. By combining IIS web shells, Cloudflare tunnels, WMI, PsExec, credential dumping, and SYSVOL-based propagation, the attackers were able to compromise and encrypt an enterprise environment in under 24 hours.
Organizations operating internet-facing IIS infrastructure should immediately review monitoring controls for web shell activity, credential dumping attempts, and large-scale PsExec or WMI execution across internal networks.