Spirals ransomware: full network encrypted in under 24h
Symantec documents Spirals, a new ransomware family: IIS web-shell entry to a fully encrypted network in under 24 hours — one confirmed victim so far, an IT services firm in South Asia.
Confirmed: Symantec’s Threat Hunter Team documented today, July 16, 2026 a new ransomware family — Spirals — that encrypted an IT services firm in South Asia after less than 24 hours inside the network. One documented incident. Confidence on the disclosure, the timeline, and the tooling below: as-reported by Symantec.
Symantec has not tied Spirals to a known operator, RaaS affiliate, or leak brand, and it reports only a single engagement. Whether the group is running a broader campaign or this was an opportunistic hit: not stated — treat accordingly.
Initial access
Per Symantec, entry was through an internet-facing IIS server. The operator dropped an ASP.NET web shell, then executed a UAC bypass, enabled Remote Desktop, and created a local account for persistence. Symantec does not name a CVE or a specific misconfiguration on the IIS host, so whether the entry point was an unpatched flaw, a stolen credential, or an exposed management surface is not disclosed — unconfirmed.
The point that survives the missing detail: another ransomware disclosure that starts on a public web tier. It sits next to last week’s CISA emergency direction on three actively exploited SharePoint CVEs as one more argument that internet-exposed Microsoft web stacks are where operators keep finding their opening.
Credential theft and lateral movement
From that foothold the operator dumped the SAM registry hive and LSASS memory, then used WMI to move to more than a dozen additional systems on the network. Confidence: as-reported. Symantec’s summary does not say which credentials worked against which hosts, or whether Kerberoasting or AS-REP roasting were staged before the WMI hop.
Persistent remote access was staged on three independent channels before the encryption step:
- revsocks — reverse SOCKS tunnel.
- Chisel — HTTP/WebSocket tunneling.
- Cloudflare tunnels — outbound TLS to Cloudflare edge.
Three egress paths in one engagement is not paranoia by the operator, it is planning. It means severing one channel mid-response leaves the other two live. Same operating pattern the UAT-7810 crew ran through ORB infrastructure earlier this month — different tools, same “no single point of eviction” principle.
Defender kill and payload deploy
A PowerShell script disabled Microsoft Defender on the target hosts. PsExec then pushed the ransomware binary across the network as SYSTEM. Symantec’s own line, quoted in the BleepingComputer summary:
“The operator began deploying the ransomware payload across the victim’s network using PsExec running as SYSTEM.”
None of these individual steps is novel. The compression is the story — web shell to full-network encryption inside a day, with off-the-shelf tools every step of the way.
The binary
Rust. AES-128 file keys wrapped with an ECDH P-256 public key — the private half stays with the operator, which means recovery without paying is not a matter of clever crypto work.
Intermittent encryption for files larger than 5MB. The same trade-off other recent Rust-family lockers have made: encrypting chunks rather than whole files cuts time-to-completion, which is exactly what a sub-24-hour operator is optimizing for.
A ransom note — RECOVERY_SECTION.log — is dropped on C:\, threatening data exposure inside six days. Symantec does not identify a Tor mirror or a public leak site in the published summary. Confidence: as-reported.
What is not confirmed
- Affiliate structure or RaaS ties. Symantec does not attribute Spirals to any of the established crews recently indicted or sanctioned — this is not, on the current evidence, a rebrand of the LockBit / BlackSuit / Play cluster named in last week’s Media Land indictment or of the Ryuk operator who pled guilty in Portland earlier this month. But absence of attribution is not absence of a link. Unconfirmed.
- Number of additional victims. One engagement in the writeup; whether Spirals has hit anyone else is not stated.
- Whether the IIS entry point is a specific unpatched CVE or a configuration failure. Not disclosed.
- IoCs — hashes, C2 IPs, revsocks/Chisel endpoints. The Symantec Threat Hunter Team’s full technical writeup is the source to check for indicators; this piece does not reproduce them.
What this argues on the defensive side
Nothing structural. Spirals is a competent operator running a compressed timetable with off-the-shelf tools. What it argues, one more time:
- Internet-facing IIS with a writable path is a straight line to SYSTEM. If IIS lives on the perimeter, treat the ASP.NET runtime and its upload paths as adversary reach.
- PsExec service-installs and WMI process-create from non-admin workstations remain the deployment pattern. Living-off-the-land survives most EDR baselines once the operator has SYSTEM. Alerting on both event classes is not new advice; the Spirals timeline argues it is still not widely deployed.
- A PowerShell script that disables Microsoft Defender on multiple hosts inside minutes is the incident, not a symptom. If it fires, the encryption step is already in the queue.
Sources
- Symantec Threat Hunter Team, via BleepingComputer: New Spirals ransomware encrypts victim network in under 24 hours — July 16, 2026.
Confidence on the mechanics quoted above: as-reported. Attribution and second-victim status: unconfirmed — treat accordingly.
Found this useful? Share it.


