CyberSecurityNews

New Spirals Ransomware Uses IIS Web Shell and PsExec to Encrypt IT Firm in Under 24 Hours


A previously unseen ransomware family dubbed “Spirals” struck an IT services company in South Asia in June 2026. Symantec’s Threat Hunter Team reports that the attackers moved from the initial breach to full network encryption in under 24 hours.

The Rust-based payload appears to be either entirely new or purpose-built for this single targeted attack, and the threat actor behind the operation remains unidentified.

Spirals Ransomware Uses IIS Web Shell and PsExec

The intrusion began on June 16 at 22:21 local time when the attackers compromised an internet-facing IIS web server and uploaded an ASP.NET web shell.

Within minutes, they deployed three separate tunneling tools, including Chisel (disguised as chrome.exe) and a Cloudflare tunnel client establishing redundant, covert communication channels. A token impersonation tool followed shortly after, which likely enabled privilege escalation.

During a concentrated three-hour hands-on-keyboard session, the operator spawned cmd.exe and powershell.exe through the IIS worker process, performed a User Account Control (UAC) bypass, enabled Remote Desktop Protocol (RDP), created a persistent local account, and dumped the SAM hive. By 23:07, initial precursor activity showed active attempts to disable security tools.

As detailed in the Spirals ransomware report, the attackers pivoted to WMI-based lateral movement at 23:33.

They successfully hit over a dozen machines within minutes using compromised domain administrator credentials a rapid cadence strongly suggesting automated, pre-planned targeting rather than manual exploration.

On June 17, the attackers shifted their tactics to using PsExec as their primary mass deployment vector. Starting around 14:12, a single compromised host pushed an identical base64-encoded PowerShell payload to network targets every few seconds for roughly 30 minutes.

Managing compromised administrative tools inside a network mirrors the persistent perimeter struggles defenders face when managing SharePoint flaws exploited by opportunistic actors.

This automated payload immediately disabled Windows Defender’s real-time monitoring and forcibly stopped over 20 critical backup, database, and virtualization services, including Veeam, VMware, SQL Server, and Exchange, effectively clearing open file handles ahead of encryption.

The ransomware executable itself was named bitsadmin.exe to masquerade as a legitimate Windows utility. It was staged across multiple network locations, including the SYSVOL domain scripts directory, ensuring automated propagation even to machines not directly targeted by the PsExec script.

This staging technique underscores why enterprise groups must audit internal script shares, much like they audit systems against archiving tool exploits that drop disguised binaries into legitimate directory trees.

Spirals functions as a full-featured, Rust-based encryptor built with defense evasion, automated lateral movement, process termination, and privilege escalation capabilities.

Cryptographic ComponentImplementation SpecificationTarget Objective
Symmetric KeyPer-file AES-128Secures the raw block data of targeted files
Asymmetric WrapperAttacker-controlled ECDH P-256 public keyProtects the local AES keys from decryption
Optimization TrickIntermittent encryption of jittered chunksSpeeds up the locking cycle for files over 5 MB

The ransomware leaves a local footprint to force negotiation:

The ransom note is dropped across the system as C:RECOVERY_SECTION.log. It threatens the public leak of stolen corporate data within six days if the target fails to pay. The note directs victims to a Tor negotiation portal, which Symantec confirmed explicitly names the threat family as “Spirals”.

While Spirals has only been observed against a single victim so far, its operational discipline signals a highly skilled actor capable of rapidly scaling attacks.

The combination of layered tunneling infrastructure, credential harvesting via LSASS dumps (using rundll32.exe and comsvcs.dll), and domain-wide propagation via SYSVOL requires an immediate defensive response.

Symantec’s indicator list includes dedicated staging infrastructure hosted at 185.141.216.194 alongside two compromised domains used for hosting malicious payloads.

Organizations running internet-facing IIS servers should enforce the following priorities:

  • Web Shell Detection: Actively monitor internet-facing web servers for unauthenticated ASP.NET file modifications or sudden process creations originating from IIS worker loops.
  • Behavioral Auditing: Set immediate alerts on anomalous WMI and PsExec activity executing rapid, sequential connection attempts across internal zones.
  • Credential Protection: Harden endpoints against LSASS memory dumping tools and tightly restrict domain administrator account usage on non-domain controllers.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.



Source link