[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpy_Iwr_njYZpcWurtkw_miC9R9okqfIcO-hMES-L5FQ":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"e130001d-513e-42b8-a118-d4302a4f5942","New Spirals ransomware encrypts victim network in under 24 hours","new-spirals-ransomware-encrypts-victim-network-in-under-24-hours-cd161f","A new ransomware actor called Spirals completed a corporate intrusion, from initial access to data theft and encryption, in less than 24 hours. [...]","A new ransomware actor called Spirals compromised an IT services firm in South Asia through an exposed IIS server and completed the entire attack chain—from initial access to encryption—in less than 24 hours. The operator rapidly escalated privileges, disabled security tools, moved laterally across a dozen systems, and deployed the Rust-based Spirals ransomware payload via PsExec. Symantec identified this as a single incident so far, leaving unclear whether Spirals is a broader cybercrime family or a custom operation.","Spirals ransomware gang breached IT services firm in under 24 hours via exposed IIS server.","New Spirals ransomware encrypts victim network in under 24 hours By Bill Toulas July 16, 2026 06:00 AM 0 A new ransomware actor called Spirals completed a corporate intrusion, from initial access to data theft and encryption, in less than 24 hours. The attack occurred in June and breached an IT services firm in South Asia after compromising an Internet Information Services (IIS) server exposed on the public web. Researchers at Symantec's Threat Hunter Team say that the attacker moved quickly after obtaining initial access and uploading an ASP.NET web shell. The Spirals operator then bypassed User Account Control (UAC), enabled Remote Desktop, and created a local account to maintain persistent access. The attacker also dumped the SAM registry hive and LSASS process memory in an attempt to extract credentials. Symantec investigators say that the threat actor tried to remove security software on the hosts, used WMI to move laterally to more than a dozen systems, and established redundant remote access channels using revsocks, Chisel, and Cloudflare tunnels. A PowerShell payload disabled Microsoft Defender, removed its threat definitions, and stopped services associated with 23 backup, database, and virtualization products, including Veeam, VMware, Hyper-V, SQL Server, Oracle, and PostgreSQL, in preparation for the encryption stage. The deployment of the Spirals payload (bitsadmin.exe) occurred less than 24 hours after the initial compromise, reports Symantec. “The operator began deploying the ransomware payload across the victim’s network using PsExec running as SYSTEM,” the researchers explain. “The payload was named bitsadmin.exe, likely to masquerade as the legitimate Windows utility associated with the Background Intelligent Transfer Service, encrypting files on impacted machines.” Spirals is a Rust-based ransomware family that uses AES-128 keys protected by an attacker-controlled ECDH P-256 public key. The ransomware uses intermittent encryption for files larger than 5MB to accelerate the process. A ransom note named RECOVERY_SECTION.log is dropped on the C:\\ drive, containing instructions to negotiate a ransom. Victims are threatened with public exposure of the stolen data within six days, unless the attacker is paid. Despite the presence of the extortion portal, Symantec observed Spirals in a single case so far, so it’s unclear whether the new family is intended for broader cybercrime deployment or if it was a custom payload created specifically for this attack at the IT services firm. Symantec's report provides network indicators and file hashes associated with the documented Spirals attack to help organizations worldwide set up defenses against this threat group. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: New Prinz Eugen ransomware prioritizes recent files for encryptionJadePuffer ransomware used AI agent to automate entire attackBlackfield ransomware asks Nidec Corporation for $2 million ransomUS charges alleged operators of Russian bulletproof hosting serviceUS sanctions VPN, malware providers for enabling ransomware attacks","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-spirals-ransomware-encrypts-victim-network-in-under-24-hours\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F04\u002F28\u002Fransomware.jpg","2026-07-16T10:00:00+00:00","2026-07-16T12:00:15.308767+00:00",9,[18,21,24,27,29,32],{"name":19,"type":20},"Spirals","threat_actor",{"name":22,"type":23},"Symantec","vendor",{"name":25,"type":26},"IIS (Internet Information Services)","product",{"name":28,"type":26},"ASP.NET web shell",{"name":30,"type":31},"PsExec","technology",{"name":33,"type":31},"WMI (Windows Management Instrumentation)","7d8b5ab8-ea0b-4ced-ae97-ec251b86993a",{"id":34,"icon":36,"name":37,"slug":38},null,"Ransomware","ransomware",[40,45,50],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"c5eccf7c-abbc-4bd3-bbed-e6da5cba8e73","Incident Response","incident-response",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[56,58,61],{"type":44,"value":19,"context":57},"Rust-based ransomware family using AES-128 encryption and ECDH P-256 keys; drops RECOVERY_SECTION.log ransom note",{"type":44,"value":59,"context":60},"revsocks","Remote access tool used for redundant command & control channels",{"type":44,"value":62,"context":63},"Chisel","Tunneling tool used for redundant remote access"]