Researchers have identified a previously unseen ransomware family called Spirals, which was used in a targeted attack against an IT services company in South Asia during June 2026.

According to Symantec's Threat Hunter Team, the attackers moved from initial access to full-scale network encryption in less than 24 hours, demonstrating a highly coordinated and disciplined intrusion.

The ransomware is written in Rust and appears to be either a completely new malware family or a custom-built encryptor developed specifically for this operation.

Attack Timeline

The intrusion began on June 16, 2026, when attackers compromised an internet-facing Microsoft IIS server and deployed an ASP.NET web shell.

Initial Access

June 16, 22:21

Attackers:

  • Compromised IIS web server
  • Uploaded ASP.NET web shell
  • Established persistence
  • Created covert communication channels

Within minutes, multiple tunneling tools were deployed.

Tunneling Infrastructure

  • Chisel (disguised as chrome.exe)
  • Cloudflare Tunnel client
  • Additional tunneling utility

This provided redundant command-and-control pathways while helping evade detection.

Privilege Escalation and Persistence

During a three-hour hands-on-keyboard session, attackers executed:

  • cmd.exe
  • powershell.exe

via the IIS worker process.

Additional activity included:

  • UAC bypass
  • Remote Desktop Protocol (RDP) activation
  • Local administrator account creation
  • SAM database extraction
  • Security tool tampering

By 23:07, attackers had already begun disabling security controls.

Rapid Lateral Movement

At approximately:

23:33

the operators began moving laterally through the environment.

Techniques Used

  • WMI execution
  • Domain administrator credentials
  • Automated host targeting

Researchers observed more than a dozen systems compromised within minutes.

The speed and consistency of the activity suggest pre-planned automation rather than manual reconnaissance.

PsExec-Based Mass Deployment

On June 17, attackers transitioned to PsExec for enterprise-wide ransomware deployment.

Starting around:

14:12

a compromised host pushed an identical Base64-encoded PowerShell payload across the network every few seconds for roughly 30 minutes.

The deployment script immediately:

  • Disabled Microsoft Defender
  • Disabled real-time protection
  • Stopped backup services
  • Stopped database services
  • Stopped virtualization services

Services Targeted Before Encryption

The malware attempted to terminate services associated with:

  • Veeam
  • VMware
  • Microsoft SQL Server
  • Microsoft Exchange
  • Backup applications
  • Virtualization platforms

This ensured files were unlocked and available for encryption.

Disguised Malware Deployment

The ransomware payload was named:

bitsadmin.exe

to resemble a legitimate Windows utility.

Attackers staged the payload in multiple locations throughout the environment.

One notable location was:

SYSVOL

which allowed automatic distribution across domain-joined systems.

Spirals Ransomware Technical Details

Spirals is a fully featured ransomware platform incorporating:

  • Privilege escalation
  • Defense evasion
  • Process termination
  • Lateral movement
  • Automated deployment

Encryption Architecture

Component Implementation
Symmetric Encryption AES-128 per file
Key Protection ECDH P-256 public key
Optimization Intermittent chunk encryption

The ransomware uses partial encryption for files larger than 5 MB to significantly increase encryption speed while maintaining impact.

Data Theft and Extortion

The operation follows a double-extortion model.

A ransom note is dropped as:

C:\RECOVERY_SECTION.log

Victims are threatened with public release of stolen corporate data if payment is not made.

Extortion Window

6 Days

The note directs victims to a Tor-based negotiation portal that explicitly identifies the threat group as:

Spirals

Credential Theft Activity

Researchers observed credential harvesting using:

rundll32.exe
comsvcs.dll

to dump LSASS memory.

This technique is commonly used to obtain:

  • Domain credentials
  • Administrative passwords
  • Kerberos tickets
  • Service account credentials

Infrastructure Identified

Symantec identified infrastructure associated with the operation.

Staging Server

185.141.216[.]194

Researchers also identified compromised domains used to host malicious payloads and facilitate deployment.

Indicators of Attack

Security teams should monitor for:

IIS Activity

  • Unexpected ASP.NET files
  • New web shells
  • IIS spawning PowerShell
  • IIS spawning cmd.exe

Lateral Movement

  • WMI execution
  • PsExec activity
  • Rapid host-to-host connections

Credential Access

  • LSASS memory access
  • rundll32 + comsvcs.dll execution
  • SAM hive access

Ransomware Staging

  • Suspicious executables named bitsadmin.exe
  • Files copied into SYSVOL
  • Defender configuration changes

Recommended Defensive Actions

Web Server Monitoring

Monitor internet-facing IIS servers for:

  • Unauthorized ASP.NET uploads
  • New web shell deployments
  • Abnormal worker process activity

Lateral Movement Detection

Generate alerts for:

  • PsExec execution
  • WMI execution
  • Rapid internal host scanning

Credential Protection

  • Restrict Domain Admin usage
  • Enable Credential Guard
  • Monitor LSASS access attempts
  • Prevent credential dumping

Backup Protection

  • Isolate backup infrastructure
  • Protect backup credentials
  • Monitor service termination attempts

Key Takeaway

Although Spirals ransomware has only been observed in a single attack so far, the operation demonstrates a mature and highly capable threat actor. By combining IIS web shells, Cloudflare tunnels, WMI, PsExec, credential dumping, and SYSVOL-based propagation, the attackers were able to compromise and encrypt an enterprise environment in under 24 hours.

Organizations operating internet-facing IIS infrastructure should immediately review monitoring controls for web shell activity, credential dumping attempts, and large-scale PsExec or WMI execution across internal networks.