Spirals Ransomware Strikes Fast: A Three-Hour Cyberattack That Turned a Small Entry Point Into a Full Network Disaster + Video

Listen to this Post

Featured ImageIntroduction: The New Era of High-Speed Ransomware Operations

Ransomware attacks are no longer slow, noisy operations where criminals spend weeks moving through networks before encryption begins. Modern ransomware groups are becoming faster, more disciplined, and more technically advanced. The discovery of the Spirals ransomware family highlights a dangerous evolution in cybercrime: attackers can compromise an exposed server, establish control, steal credentials, disable defenses, and encrypt an entire enterprise environment within hours.

In June 2026, security researchers from Symantec’s Threat Hunter Team uncovered a sophisticated double-extortion campaign targeting an IT services company in South Asia. The attackers used a Rust-based ransomware strain called Spirals, combining web server exploitation, credential theft, stealth tunneling, security evasion, and automated deployment techniques.

The attack demonstrates how a single vulnerable internet-facing system can become the gateway to a complete organizational compromise. The attackers did not rely on one weakness. Instead, they chained multiple techniques together, creating a highly efficient attack process designed to maximize damage before defenders could react.

Spirals Ransomware Attack Summary: From Web Server Breach to Full Encryption

The Spirals ransomware incident began when threat actors compromised an exposed Microsoft IIS web server belonging to the targeted organization. IIS servers are commonly used for hosting enterprise applications, websites, and internal services, making them attractive targets when improperly secured or outdated.

After gaining access, attackers uploaded an ASP.NET web shell to the server. This provided remote command execution capabilities through the IIS worker process, allowing them to operate inside the environment without immediately deploying traditional malware.

The attackers moved with remarkable speed. According to researchers, the entire hands-on-keyboard phase lasted approximately three hours. During this short period, they performed reconnaissance, created persistence mechanisms, escalated privileges, harvested credentials, disabled security protections, and prepared the environment for ransomware deployment.

This rapid timeline demonstrates a major shift in ransomware operations. Attackers are increasingly using automation, pre-built tools, and detailed playbooks to reduce the time between initial compromise and final impact.

Initial Access: Exploiting Microsoft IIS Web Infrastructure

The first stage of the attack focused on compromising an internet-facing Microsoft IIS web server.

The attackers used a vulnerable or exposed web application as the entry point and deployed an ASP.NET web shell. Web shells are lightweight malicious scripts that provide attackers with remote access to execute commands on compromised servers.

Once installed, the web shell allowed attackers to:

Execute Windows commands remotely.

Download additional tools.

Create persistence.

Explore internal network resources.

Prepare future ransomware deployment.

The use of legitimate Windows processes also helped attackers blend into normal system activity. Instead of immediately launching suspicious executables, they used built-in tools such as:

cmd.exe

PowerShell.exe

rundll32.exe

PsExec

This living-off-the-land approach makes detection significantly harder because these tools are commonly used by administrators.

Rapid Internal Reconnaissance and Privilege Escalation

After establishing access, the attackers immediately began mapping the environment.

They searched for:

User accounts.

Network shares.

Installed software.

Available systems.

Critical infrastructure components.

This information allowed them to identify valuable targets before launching encryption.

The attackers also bypassed User Account Control (UAC), enabled Remote Desktop Protocol (RDP), and created additional local accounts for persistence.

By enabling RDP, they created another remote access pathway. If their initial web shell was removed, they could potentially return through another access method.

The creation of new accounts is a common ransomware technique because it provides long-term access even after defenders remove obvious malware artifacts.

Credential Theft: Extracting the Keys to the Kingdom

Credential harvesting was one of the most important stages of the Spirals operation.

The attackers dumped the Windows Security Account Manager (SAM) database and stored it inside a password-protected archive.

The SAM database contains local account password hashes. Although modern Windows systems protect these credentials, attackers with sufficient privileges can extract them for offline cracking or further exploitation.

The attackers also used:

rundll32.exe comsvcs.dll MiniDump

to dump LSASS memory.

The Local Security Authority Subsystem Service (LSASS) manages authentication information in Windows. Dumping LSASS memory can expose:

Domain credentials.

Cached passwords.

Authentication tokens.

Privileged account information.

If attackers obtain administrator or domain-level credentials, they can move laterally across the entire network much faster.

Covert Access: Reverse Proxies and Tunneling Tools

To maintain hidden access, Spirals operators deployed multiple tunneling technologies.

Researchers identified:

revsocks reverse SOCKS proxy.

Chisel tunneling tool disguised as chrome.exe.

Cloudflare Tunnel client.

Using multiple communication channels provided redundancy.

If one connection was blocked, attackers could continue operating through another.

The disguise of Chisel as chrome.exe is particularly notable because attackers frequently rename malicious tools to resemble legitimate applications.

This technique attempts to avoid detection from administrators reviewing running processes.

Deep Analysis: Spirals Ransomware Technical Breakdown and Defensive Commands

Attack Chain Overview

The Spirals ransomware operation followed a classic but highly optimized ransomware lifecycle:

Initial compromise through IIS.

Web shell deployment.

Remote command execution.

Privilege escalation.

Credential theft.

Security disabling.

Lateral movement.

Backup destruction.

Mass ransomware execution.

Defender Investigation Commands

Identify suspicious IIS processes:

Get-Process w3wp | Select-Object Id,Path

The IIS worker process should be monitored for unusual child processes.

Check suspicious PowerShell execution:

Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational

Security teams should investigate encoded commands and unusual execution patterns.

Search for suspicious user accounts:

net user

Look for recently created accounts that do not match administrative activity.

Review active network connections:

netstat -ano

Unexpected outbound connections may reveal tunneling tools.

Detect suspicious scheduled persistence:

schtasks /query /fo LIST

Attackers often create scheduled tasks for continued access.

Investigate LSASS dumping attempts:

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4656}

Events involving LSASS access should receive priority investigation.

Ransomware Defense Recommendations

Organizations should:

Patch internet-facing servers immediately.

Restrict IIS exposure.

Deploy application-layer firewalls.

Enable multi-factor authentication.

Monitor PowerShell activity.

Segment critical systems.

Protect backups from administrative compromise.

Use endpoint detection and response solutions.

Spirals Ransomware Disables Security Before Encryption

On June 17, attackers launched the final phase of their operation.

Using PsExec, they remotely executed a Base64-encoded PowerShell payload with SYSTEM privileges.

The script disabled Microsoft Defender protections, including:

Real-time monitoring.

Threat definitions.

IOAV protection.

The attackers then targeted services related to:

Backup platforms.

Databases.

Virtualization systems.

Enterprise applications.

The targeted services included:

Microsoft Exchange.

Hyper-V.

VMware.

Veeam.

Acronis.

Veritas.

Commvault.

SQL Server.

Oracle.

MySQL.

PostgreSQL.

SAP.

Sage.

Intuit.

Lotus Domino.

This strategy is designed to maximize destruction. By stopping backup and database services before encryption, attackers increase the chances that victims will have no immediate recovery option.

Mass Deployment: How Spirals Spread Across the Network

The ransomware deployment phase was highly automated.

One compromised system reportedly used PsExec to distribute the PowerShell payload to multiple remote machines every few seconds for approximately 30 minutes.

Targets included:

Domain controllers.

File servers.

Application servers.

Virtual machines.

Employee workstations.

This indicates that attackers had already completed significant Active Directory reconnaissance.

The objective was clear: compromise as many systems as possible before security teams could intervene.

Indicators of Compromise (IoCs)

Spirals Ransomware Binary

SHA256:

0f9574dc38e5c34a31153f0bcc603c6ec29cb3bf65c3d25380dbe86d42573141

Observed names:

bitsadmin.exe

vbr2116.exe

Reverse SOCKS Proxy Tool

SHA256:

4cab935d0ec400059a3fcdc95b6623efdd51a61dff401fba8d5da244cc2de649

Tool:

revsocks.exe

Organizations should investigate these indicators through controlled threat intelligence platforms such as SIEM systems, MISP, or malware analysis environments.

What Undercode Say:

The Spirals ransomware incident represents a dangerous new standard in cyberattacks.

Attackers are no longer interested in quietly maintaining access for months.

They are optimizing for speed.

The three-hour compromise timeline shows how quickly an exposed service can become a business-ending event.

Internet-facing servers remain one of the biggest risks for organizations.

A single vulnerable IIS application can provide attackers with the first step into a corporate network.

The use of Rust-based ransomware is also significant.

Rust malware is becoming increasingly popular because it offers attackers performance, cross-platform capabilities, and more difficulty for traditional security tools to analyze.

Credential theft remains the foundation of modern ransomware.

Once attackers obtain administrator credentials, encryption becomes only the final stage of a much larger attack.

The use of legitimate Windows tools makes detection more challenging.

PowerShell, rundll32, cmd, and PsExec are not malicious by themselves.

The problem occurs when attackers abuse them.

Security teams must focus less on individual tools and more on behavioral patterns.

A PowerShell command disabling Defender followed by remote service execution should immediately raise alerts.

The attack also highlights why backup protection is critical.

Many organizations believe backups alone guarantee recovery.

However, attackers now specifically target backup infrastructure before encryption.

Immutable backups and offline recovery strategies are becoming essential.

Network segmentation could have reduced the damage.

If critical servers were isolated, attackers would have faced more difficulty spreading ransomware.

Identity security is another major lesson.

Organizations should assume passwords can eventually be stolen.

Multi-factor authentication, privileged access management, and credential monitoring are necessary defenses.

The Spirals attack shows that ransomware groups operate like professional businesses.

They research targets.

They prepare infrastructure.

They test deployment methods.

They execute quickly.

The future of ransomware defense will depend on early detection rather than late-stage cleanup.

Organizations must identify attackers during reconnaissance, not after encryption begins.

✅ Confirmed: Spirals ransomware was used in a June 2026 double-extortion attack.
Security researchers documented the Rust-based ransomware family and linked it to an IT services organization in South Asia.

✅ Confirmed: Attackers used IIS web shells and Windows administration tools.
The attack involved ASP.NET web shell access, PowerShell, PsExec, credential dumping, and security evasion techniques consistent with modern ransomware operations.

❌ Not publicly confirmed: The identity of the ransomware group behind Spirals.
Researchers identified the malware family and techniques but did not attribute the attack to a specific criminal organization.

Prediction

(-1) Ransomware attacks similar to Spirals will likely increase as attackers continue improving automation and deployment speed.

(-1) Internet-facing enterprise systems will remain a primary target because they provide direct access into organizations.

(+1) Companies that adopt stronger identity security, network segmentation, and continuous monitoring will significantly reduce ransomware impact.

(+1) AI-powered detection systems may help defenders identify abnormal PowerShell activity and lateral movement faster.

(-1) Smaller businesses using exposed Microsoft services without dedicated security teams may face higher risks from similar attacks.

(+1) Threat intelligence sharing and automated detection feeds will become increasingly important for preventing fast-moving ransomware campaigns.

▶️ Related Video (72% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube