Researchers have uncovered a previously unseen ransomware family dubbed Spirals after it was used in a double extortion attack against an IT services company in South Asia, completing the intrusion from initial access to enterprise-wide encryption in less than 24 hours.
According to researchers with Broadcom’s Symantec Threat Hunter Team, the attack began after threat actors compromised an internet-facing Internet Information Services (IIS) web server and deployed an ASP.NET web shell. Over the following hours, the attackers established persistence, harvested credentials, moved laterally across the network, and ultimately deployed the ransomware payload.
Attack unfolded in less than a day
The first malicious activity was observed on June 16, 2026, when the attackers established multiple remote access channels and began an interactive intrusion lasting roughly three hours.
During that time, the operators bypassed User Account Control (UAC), enabled Remote Desktop Protocol (RDP), created a local account for persistence, enumerated users and network shares, and attempted to remove endpoint security software.
The attackers also dumped the Security Account Manager (SAM) registry hive and later extracted LSASS process memory from multiple systems in an effort to obtain additional credentials.
To maintain access, the operators deployed multiple tunneling tools, including revsocks, Chisel, and Cloudflare Tunnel, creating redundant communication channels throughout the compromised environment.
Lateral movement and encryption
Symantec observed the attackers using Windows Management Instrumentation (WMI) to move laterally to more than a dozen systems before switching to PsExec to deploy the ransomware across the network.
Before encryption began, a PowerShell payload disabled Microsoft Defender, removed Defender threat definitions, and terminated services associated with backup, virtualization, and database software. The targeted products included Veeam, VMware, Hyper-V, Microsoft SQL Server, Oracle, PostgreSQL, Exchange, Acronis, Commvault, and Veritas.
The ransomware payload was disguised as bitsadmin.exe, likely to resemble the legitimate Windows utility. Researchers also observed copies of the payload placed in multiple locations, including the Windows directory, domain scripts, network shares, and a user’s temporary folder to maximize deployment across the environment.
Rust-based ransomware
Spirals is written in Rust and uses per-file AES-128 encryption keys protected by an attacker-controlled ECDH P-256 public key. Files larger than 5 MB are encrypted intermittently to increase encryption speed while still rendering data inaccessible.
Once encryption completed, the ransomware created a ransom note named RECOVERY_SECTION.log on the C:\ drive. Victims are instructed to negotiate through a Tor-based portal and are warned that allegedly stolen data will be published within six days if a ransom is not paid.
Only one victim observed
At the time of publication, Symantec has only observed Spirals in a single incident, making it unclear whether the ransomware is intended for broader deployment or was developed specifically for the attack against the South Asian IT services provider.
Despite the limited number of observed victims, researchers say the operators demonstrated a high level of sophistication through their rapid execution, extensive use of redundant remote access tools, and coordinated efforts to disable security, backup, and database services before deploying the encryptor.
Broadcom’s Symantec Threat Hunter Team has published a detailed technical analysis of the intrusion, including indicators of compromise (IOCs), file hashes, and network indicators to help defenders detect Spirals activity. Read the full research: Spirals: New Stealthy Ransomware Deployed Against Asian IT Company.












