Spirals Ransomware Encrypts IT Firm’s Network in Under 24 Hours

A previously unidentified ransomware strain, dubbed ‘Spirals,’ executed a rapid and sophisticated attack on an IT services company in South Asia in June 2026. The entire operation, from initial breach to full network encryption, was completed in less than 24 hours, showcasing a level of efficiency and coordination that is particularly alarming.

The attack commenced when the perpetrators exploited a publicly accessible Internet Information Services (IIS) web server, uploading an ASP.NET web shell to establish a foothold. Within minutes, they deployed multiple tunneling tools, including Chisel (disguised as ‘chrome.exe’) and a Cloudflare tunnel client, to create covert communication channels. A token impersonation tool was also utilized, likely facilitating privilege escalation.

During an intensive three-hour session, the attackers executed several actions to solidify their presence and prepare for the ransomware deployment. These actions included bypassing User Account Control (UAC), enabling Remote Desktop Protocol (RDP), creating a persistent local account, and dumping the Security Account Manager (SAM) hive. By 23:07, they had begun efforts to disable security tools, indicating a clear intent to neutralize defensive measures.

By 23:33, the attackers initiated lateral movement using Windows Management Instrumentation (WMI), rapidly compromising over a dozen machines. This swift propagation suggests the use of automated scripts and pre-planned targeting, rather than manual exploration.

The following day, at approximately 14:12, the attackers shifted to using PsExec for mass deployment. Over a 30-minute period, they pushed a base64-encoded PowerShell payload to numerous network targets. This payload disabled Windows Defender’s real-time monitoring and terminated over 20 critical services, including those related to backup, database, and virtualization systems such as Veeam, VMware, SQL Server, and Exchange. This preemptive action ensured that files were accessible for encryption without interference.

The ransomware executable, masquerading as ‘bitsadmin.exe,’ was strategically placed across multiple network locations, including the SYSVOL domain scripts directory. This placement facilitated automated propagation, even to machines not directly targeted by the initial PsExec deployment.

Spirals is a Rust-based ransomware with advanced capabilities, including defense evasion, automated lateral movement, process termination, and privilege escalation. It encrypts files using AES-128, with each file’s key wrapped using an attacker-controlled ECDH P-256 public key. For files larger than 5 MB, the encryption process is optimized by encrypting data in chunks, enhancing both speed and efficiency.

Victims are left with a ransom note titled ‘RECOVERY_SECTION.log,’ which directs them to a Tor-based negotiation site. The note threatens to leak stolen data within six days if the ransom is not paid, adding pressure to comply with the attackers’ demands.

This incident underscores the evolving tactics of ransomware operators, who are now capable of executing full-scale attacks with unprecedented speed. Organizations must prioritize the security of internet-facing systems, regularly audit for unauthorized files, and implement robust monitoring to detect anomalies promptly. The rapid progression from initial access to full encryption highlights the critical need for swift detection and response mechanisms to mitigate such threats effectively.