Spirals ransomware crew locked down an IT firm's network in under a day

A new group broke in through an exposed web server, disabled defences and encrypted files inside 24 hours, Symantec says.

ThreatVectr Newsdesk· 4 min read
Photoreal news-editorial image, 16:9, full frame edge to edge
Share

Key points

  • A new ransomware group calling itself Spirals broke into a South Asian IT services firm in June 2025 and encrypted its files in under 24 hours.
  • The hackers got in through an Internet Information Services web server, meaning Microsoft's software for hosting websites, that was exposed to the public internet.
  • Spirals uses a Rust-based file locker with AES-128 encryption and threatens to publish stolen data within six days if the victim does not pay.
  • Symantec's Threat Hunter Team says it has seen only one Spirals attack so far, so it is unclear if the tool is for wider use or built for this one job.
  • The attackers disabled Microsoft Defender and stopped services tied to 23 backup and database products, including Veeam, VMware and SQL Server, before running the ransomware.

A new ransomware crew has shown just how fast a serious intrusion can move. Researchers at Symantec's Threat Hunter Team say a group calling itself Spirals broke into an IT services firm in South Asia in June, stole data, and encrypted files across the network in less than a day.

The first report of the attack came from BleepingComputer.

The way in was a familiar one. The company had left an Internet Information Services (IIS) server, which is Microsoft's software for hosting websites, exposed on the public internet. The attackers reached it, then uploaded an ASP.NET web shell, meaning a small script that gives an intruder a hidden back door into a web server.

From there, things moved quickly.

How did the hackers get so deep so fast?

They used well-known Windows tricks to widen their access. The Spirals operator bypassed User Account Control, the Windows prompt that asks permission before sensitive changes, and switched on Remote Desktop so they could log in visually. They created a fresh local account to keep a foothold if anyone locked them out.

They also went after passwords. The attackers copied the SAM registry hive and dumped the memory of a Windows process called LSASS, both common sources of stored login credentials.

Once inside, they spread. Symantec says the group used Windows Management Instrumentation, a built-in administration tool, to jump to more than a dozen other machines. They set up several remote access channels at once, using tools called revsocks and Chisel alongside Cloudflare tunnels, so losing one route would not lock them out.

Then came the preparation for the payload. A PowerShell script switched off Microsoft Defender, wiped its threat definitions, and stopped services tied to 23 backup, database and virtualisation products. Veeam, VMware, Hyper-V, SQL Server, Oracle and PostgreSQL were all on the list. The point was simple: kill anything that could either restore files or keep them locked open.

Less than 24 hours after the first break-in, the ransomware itself arrived. The attackers used PsExec, a legitimate Microsoft admin tool, to push the file across the network running as SYSTEM, the highest level of Windows account. The payload was named bitsadmin.exe, borrowing the name of a real Windows utility to blend in.

What does Spirals itself actually do?

It is a Rust-based ransomware family. It encrypts files with AES-128 keys, and those keys are then protected using an ECDH P-256 public key held by the attacker, meaning victims cannot recover files without the criminals' private key.

For files larger than 5MB it uses intermittent encryption, scrambling only parts of each file to speed the process up. A ransom note called RECOVERY_SECTION.log is dropped on the C: drive with instructions to negotiate. Victims are told stolen data will be published within six days if they do not pay.

Symantec has only seen Spirals used once so far. That leaves an open question: is this a new brand being tested before wider criminal use, or a one-off tool built for this single target? The researchers have published network indicators and file hashes so other defenders can watch for the same patterns.

For ordinary customers of the affected firm, the practical concern is data exposure. Anyone whose personal or business details may have been held there should watch for unusual emails, invoice changes, or login alerts in the coming weeks.

© 2026 Threat Vectr