Published on July 17, 2026
Spirals Ransomware Conducts Rapid Double Extortion Attack Against South Asian IT Company
Severity
High
Detail
A newly identified ransomware family named Spirals was discovered after being deployed against an IT services company in South Asia in June 2026. The ransomware was identified by the Symantec Threat Hunter Team and is considered a previously unseen threat. The attack involved both data theft and network encryption, following a double extortion approach where attackers threatened to publish stolen information if the ransom demand was not fulfilled.
The Spirals ransomware payload was written in Rust and demonstrated advanced capabilities including file encryption, defense evasion, privilege escalation, process termination, obfuscation, and lateral movement. Investigators observed that the attackers progressed from initial compromise to ransomware deployment within less than 24 hours, showing a highly efficient attack operation.
How?
The attackers gained initial access by compromising an internet-facing IIS web server and uploading an ASP.NET web shell. Through the web shell, they executed commands using cmd.exe and PowerShell, allowing them to establish an interactive session within the victim environment.
The attackers then performed privilege escalation using a User Account Control (UAC) bypass, enabled Remote Desktop Protocol (RDP), and created a local account to maintain persistent access. They collected credential information by dumping the Security Account Manager (SAM) database and later extracted LSASS process memory during lateral movement activities.
To maintain covert access, the attackers deployed multiple tunneling and remote access tools, including reverse SOCKS proxy tools, Chisel, and Cloudflare Tunnel. They moved laterally through the environment using Windows Management Instrumentation (WMI) and PsExec before deploying the ransomware payload across multiple systems.
Before encryption, the attackers attempted to disable security controls, including Microsoft Defender, and stopped services related to backup, database, and virtualization products to maximize the impact of the attack. The ransomware payload was deployed using a file named bitsadmin.exe to disguise itself as a legitimate Windows utility.
Impact
The Spirals ransomware attack resulted in the encryption of files across the victim’s network and the theft of sensitive data. The attackers threatened to release stolen information after six days if the ransom demand was not paid.
The ransomware used a double extortion method by combining data encryption with the threat of public data exposure. Although only one victim has been identified, researchers stated that the capabilities and operational techniques demonstrated by the attackers indicate the possibility of future wider campaigns.
Conclusion
The Spirals ransomware incident highlights a fast-moving ransomware operation capable of compromising an environment, stealing data, and encrypting systems within a short timeframe. The attackers used multiple techniques, including web shell access, credential theft, defense evasion, remote access tools, and lateral movement to achieve their objectives. The discovery of Spirals indicates the continued evolution of ransomware threats and the ability of threat actors to conduct sophisticated attacks against organizations.
Source
https://www.security.com/threat-intelligence/ransomware-spirals-extortion
https://www.broadcom.com/support/security-center/protection-bulletin/spirals-new-stealthy-ransomware-deployed-against-asian-it-company
https://www.helpnetsecurity.com/2026/07/17/spirals-ransomware-south-asia/
