Press TechRound interviews Secure.com CEO on the future of AI security
Read

Spirals Ransomware Went From Break In to Blackout in Under 24 Hours

A new ransomware family called Spirals broke into an IT services firm, stole data, and locked the network in under a day.

Dateline: July 16, 2026 

Spirals Killed 23 Backup Services, Then Encrypted Everything

Most ransomware crews take their time. They sit inside a network for days, sometimes weeks, poking around before they pull the trigger. Spirals did not.

Symantec’s Threat Hunter Team published research on July 16 showing a brand new ransomware family that broke into an IT services company in South Asia, stole its data, and encrypted the network in less than a day. No zero day. No exotic malware. Just an exposed web server and an operator who knew exactly what to do next.

Symantec has only seen it hit one victim so far. The researchers are not comforted by that.

What Happened?

The clock started on June 16 at 22:21 local time. The attacker got in through an internet facing IIS web server and dropped an ASP.NET web shell on it. From there it turned into a hands on keyboard session.

Within the first ten minutes, three separate tunneling tools landed on the box.

  • One was called tunn.exe.
  • Another was revsocks, a reverse SOCKS proxy pointed at an external IP over port 443.
  • The third was Chisel, renamed chrome.exe so it would look like a browser sitting in the Windows Tasks folder.

A Cloudflare tunnel client went into a web production directory too. Four ways back in, in case somebody closed one door.

Then came the usual housekeeping. A UAC bypass for privilege escalation. RDP switched on. A fresh local account created for persistence. The SAM registry hive dumped into a password protected archive. Later, LSASS memory scraped off multiple machines using rundll32.exe and comsvcs.dll.

By 23:33 the attacker was using WMI to jump across the network. More than a dozen machines in the first few minutes, at a pace Symantec described as automated rather than manual.

The next afternoon, June 17, they switched to PsExec running as SYSTEM. Starting around 14:12, one host pushed the same base64 encoded PowerShell payload to a long list of targets, more than one every few seconds for roughly half an hour. Domain controllers. File servers. Virtual machines. Workstations.

That payload did two things. It killed Windows Defender’s real time monitoring and wiped its threat definitions. Then it hunted down and force stopped any running service matching a list of 23 backup, database, and virtualization products. Veeam, VMware, Hyper V, Acronis, Veritas, Commvault, SQL Server, Oracle, MySQL, PostgreSQL, SAP, Lotus Domino. Open file handles get in the way of encryption. So they removed them.

The encryptor itself was named bitsadmin.exe, borrowing the name of a real Windows utility. It was dropped into the Windows directory, a user desktop, a domain controller network share, and the SYSVOL domain scripts folder, which replicates across the whole domain and reaches machines PsExec never touched.

The Impact

Spirals is written in Rust. Each file gets its own AES-128 key, wrapped with an attacker controlled ECDH P-256 public key. Anything over 5 MB is encrypted intermittently across jittered chunks to speed things up. There is no decryptor.

The ransom note lands at C:\RECOVERY_SECTION.log and gives victims six days before the stolen data goes public. Negotiations happen on a Tor portal. Investigators found the crew’s onion site, which is where the name Spirals comes from.

Here is the part worth sitting with. Symantec says the breadth and pace of the PsExec push suggests the target list was already built, probably from Active Directory enumeration during the foothold phase, before the deployment even started. The reconnaissance and the attack were not separate stages. They overlapped.

And while researchers have seen Spirals on exactly one network, they flagged the operators as skilled enough to run much wider campaigns.

How to Avoid This

Start with the front door. This whole thing began with an IIS server facing the open internet. Audit what of yours is actually reachable from outside, and check web directories for files nobody remembers uploading.

  • Watch for the tools, not the malware. Chisel, revsocks, and cloudflared are legitimate software. When they appear on a web server at 10pm, that is the story.
  • Alarm on Defender changes. MpCmdRun.exe with a RemoveDefinitions flag has no business running on your network. Same for PsExec fanning out to fifty hosts in thirty minutes.
  • Keep backups off the domain. Spirals stopped 23 backup and database services before encrypting anything. If your backup lives inside the same Active Directory, it dies with everything else.
  • Lock down SYSVOL. Writing an executable to the domain scripts folder handed the attacker a distribution network your domain controller runs for free.

When Your Attacker Works Faster Than Your Ticket Queue

Spirals took under 24 hours. Most SOC teams take longer than that to triage a backlog. That gap is the whole problem. Secure.com’s Digital Security Teammates close it by working the way the attacker does, without stopping:

  • Continuous monitoring across SIEM, EDR, and firewall telemetry, normalized into one schema so an IIS anomaly and a credential dump read as one story instead of two unrelated alerts.
  • Automated containment that isolates the endpoint and disables the compromised account when credential dumping is detected, not after somebody reads the ticket.
  • Threat intel correlation that matches outbound traffic against live IOC feeds, so a connection to a staging IP gets flagged in seconds.
  • MITRE ATT&CK mapping that turns scattered signals like WMI lateral movement and service enumeration into a recognizable attack chain.
  • Autonomous investigation designed to complete in under two minutes, which is the only speed that matters when the encryptor lands the next afternoon.