← All stories
● Covered by 1 source Β· 1 reportHigh impact

Spirals ransomware encrypts networks within 24 hours after initial compromise

Aggregated by BrevFeed security Β· updated 1h ago
πŸ”– Save

A new ransomware group, Spirals, compromised an IT services firm in South Asia and completed data theft and encryption in under 24 hours. The rapid expansion of ransomware capabilities poses significant threats to corporate network security.

Key points

Attack Overview

In June, a South Asian IT services firm was targeted by a new ransomware actor named Spirals. The attackers first gained access through an Internet Information Services (IIS) server that was left exposed on the public internet.

Rapid Intrusion Tactics

The Spirals operator took swift action after breaching the network, uploading an ASP.NET web shell to maintain their foothold. They bypassed User Account Control (UAC), enabled Remote Desktop access, and created a local account for persistence. Additionally, the attackers dumped the Security Accounts Manager (SAM) registry hive and LSASS memory to extract credentials.

Lateral Movement and Preparation for Encryption

The attacker employed techniques to remove security software from the compromised hosts and moved laterally to over a dozen systems using Windows Management Instrumentation (WMI). To prepare for encryption, a PowerShell payload was executed that disabled Microsoft Defender and stopped services linked to numerous backup and database products.

Encryption and Ransom Note

The ransomware payload, named bitsadmin.exe, was deployed less than 24 hours after initial access. It masquerades as a legitimate Windows utility to encrypt files on the network. A ransom note, RECOVERY_SECTION.log, was left on the C:\ drive, outlining demands and threats of public exposure of stolen data within six days if the ransom is not paid.

Current Status and Implications

Symantec has only observed the Spirals ransomware in a single incident thus far. It remains unclear if this is an isolated attack or if the malware will be disseminated more widely in future criminal activities. The emergence of such quick-acting ransomware poses significant risks to organizations, highlighting the ongoing challenge of cybersecurity in the corporate sphere.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

A new ransomware group, Spirals, compromised an IT services firm in South Asia and completed data theft and encryption in under 24 hours. The rapid expansion of ransomware capabilities poses significant threats to corporate network security.