2 min read

Spirals ransomware hit a network in under 24 hours

Symantec says the new Spirals ransomware went from initial access to encryption in less than 24 hours after breaching an IIS server.

Image: BleepingComputer

A newly identified ransomware actor called Spirals moved from initial access to data theft and full encryption of a corporate network in less than 24 hours, according to Symantec’s Threat Hunter Team.

The attack took place in June and hit an IT services firm in South Asia after the attackers compromised an Internet Information Services (IIS) server exposed to the public internet. Symantec says the intruder quickly uploaded an ASP.NET web shell, then bypassed User Account Control (UAC), enabled Remote Desktop, and created a local account to maintain access.

From there, the operator dumped the SAM registry hive and LSASS process memory to try to harvest credentials. Investigators also say the attacker attempted to remove security software, used WMI to move laterally across more than a dozen systems, and set up multiple backup access paths through revsocks, Chisel, and Cloudflare tunnels.

A PowerShell payload then disabled Microsoft Defender, removed its threat definitions, and stopped services tied to 23 backup, database, and virtualization products, including Veeam, VMware, Hyper-V, SQL Server, Oracle, and PostgreSQL. Symantec says the ransomware payload, named bitsadmin.exe, was deployed less than a day after the initial compromise.

“The operator began deploying the ransomware payload across the victim’s network using PsExec running as SYSTEM.” “The payload was named bitsadmin.exe, likely to masquerade as the legitimate Windows utility associated with the Background Intelligent Transfer Service, encrypting files on impacted machines.”

Symantec researchers

Spirals is a Rust-based ransomware family that uses AES-128 keys protected by an attacker-controlled ECDH P-256 public key. For files larger than 5MB, it uses intermittent encryption to speed up the process. It drops a ransom note named RECOVERY_SECTION.log on the C:\ drive and warns victims that stolen data will be exposed publicly within six days if payment is not made.

Recommended reading

CISA gives feds until Saturday to patch Oracle EBS flaw

Symantec says it has observed Spirals in only one case so far, leaving open whether this is the start of a broader operation or a custom-built payload for this specific intrusion. The company has published network indicators and file hashes tied to the attack to help defenders block the group.

Article image
Article image
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

// Keep reading