Advertisement
Security

Spirals Ransomware Blasts Through Defenses

A new threat actor is compromising corporate networks and deploying encryption in under one day using advanced persistence tools.

··4 hours ago·2 min read
red padlock on black computer keyboard
Photo by FlyD on Unsplash
Advertisement

The speed at which modern cyber attackers can pivot from initial network entry to total infrastructure lockdown is shrinking, leaving security teams with a diminishing window for incident response. A new entity identified as Spirals has demonstrated this efficiency by completing an end-to-end compromise of a South Asian IT services provider within a 24-hour timeframe.

Tactical Speed and Persistence

The campaign, which took place in June, began with the exploitation of a public-facing Internet Information Services (IIS) server. Once inside, the operator displayed a high level of operational maturity, rapidly deploying an ASP.NET web shell to facilitate further movement. The attacker demonstrated a clear understanding of Windows internals, bypassing User Account Control (UAC) and enabling Remote Desktop to secure a permanent foothold.

To maintain access while pivoting across the environment, the actor utilized a combination of revsocks, Chisel, and Cloudflare tunnels. This redundant approach to remote connectivity highlights a sophisticated strategy designed to survive standard containment efforts. Lateral movement was executed via Windows Management Instrumentation (WMI), allowing the actor to impact more than a dozen distinct systems before triggering the final encryption routine.

Targeted Disablement of Infrastructure

Preparation for the final payload deployment involved a calculated effort to silence security alerts and administrative oversight. The operator utilized a PowerShell script to cripple Microsoft Defender and purge its threat definitions. Furthermore, the attacker explicitly targeted services critical to disaster recovery and data integrity, including those related to database and virtualization platforms.

  • The entire lifecycle from initial access to ransomware deployment occurred in less than 24 hours.
  • The attacker utilized WMI to move laterally across more than 12 systems.
  • Services associated with 23 distinct backup, database, and virtualization products were stopped prior to encryption.
  • The ransomware uses intermittent encryption for files exceeding 5MB to optimize speed.
  • Victims are threatened with the public leak of stolen data within 6 days of the initial incident.

The operator began deploying the ransomware payload across the victim’s network using PsExec running as SYSTEM. The payload was named bitsadmin.exe, likely to masquerade as the legitimate Windows utility associated with the Background Intelligent Transfer Service, encrypting files on impacted machines.

— Symantec's Threat Hunter Team

Encryption and Extortion Mechanics

The researchers explain that the Spirals payload is written in Rust and employs AES-128 keys, secured by an ECDH P-256 public key. By utilizing intermittent encryption, the group significantly reduces the time required to lock large files, maximizing the disruption caused before security teams can intervene. Victims discover the extortion attempt via a file labeled RECOVERY_SECTION.log dropped on the root C:\ drive.

Implications for Security Posture

The emergence of Spirals underscores a critical reality: visibility and Test every layer before attackers do to ensure that security configurations are actually functional against modern intrusion techniques. For IT and security departments, this incident serves as a reminder that perimeter defenses—such as patching public-facing IIS servers—are only the first line of defense. The ability to identify credential dumping, service manipulation, and the unauthorized use of tunnel providers is essential for stopping an actor before they can transition from a single server breach to a full-scale network encryption event.

#ransomware#cybersecurity#threat-intelligence#symantec

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement