Virtual Round Table · Jul 22

View the event
Spirals Ransomware Went From an Exposed IIS Server to Full Encryption in Under a Day
Cybersecurity

Spirals Ransomware Went From an Exposed IIS Server to Full Encryption in Under a Day

Symantec documents a new Rust-based crew that breached a South Asian IT firm through a public web server and encrypted the network in less than 24 hours, with hands-on-keyboard activity starting within three.

PublishedJuly 16, 2026
Read time6 min read
Share

A day is now enough time to lose the network

Symantec's Threat Hunter Team, part of Broadcom, has documented a new ransomware operator it tracks as Spirals, and the headline detail is speed. In a June intrusion against an IT services firm in South Asia, the attacker went from initial compromise to encrypting the network in less than 24 hours. Hands-on-keyboard activity began within roughly three hours of the first foothold. That tempo dismantles a defensive assumption many organizations still quietly rely on, that dwell time gives responders days or weeks to notice an intrusion and intervene before the encryption event.

The compression matters because most detection and response programs are calibrated for a slower adversary. Alert triage queues, on-call escalation paths, and the human decision loops around containment were designed in an era when attackers lingered. A sub-24-hour attack leaves no room for a Monday-morning review of weekend alerts. Spirals is a concrete example of a broader shift we have tracked all year, where operators streamline the path from access to impact and treat time as their primary weapon. If your mean time to respond is measured in days, an attacker measuring their operation in hours has already won before the meeting starts.

Initial access through a public web server

The entry point was an Internet Information Services web server exposed on the public internet. The attacker uploaded an ASP.NET web shell, which handed them interactive command execution on the host, and from there established a hands-on session within about three hours. Nothing about this vector is exotic. Internet-facing web servers running IIS remain one of the most common initial-access footholds in ransomware casework, and web shells are a decades-old technique precisely because they keep working against under-monitored perimeter systems.

That ordinariness is the lesson. The organizations most exposed to fast-moving crews like Spirals are not the ones facing novel zero-days. They are the ones with an aging internet-facing application, a web server that nobody owns anymore, or a public endpoint outside the reach of endpoint detection tooling. We would treat every internet-reachable IIS instance as a priority hardening target, confirm that endpoint detection and response actually covers those hosts, and hunt specifically for unexpected files and processes spawned by web server accounts. The web shell is the moment where a quiet reconnaissance scan becomes a live intruder, and it is the last easy place to stop this chain.

Living off legitimate tooling

Once inside, the Spirals operator relied heavily on legitimate and widely available tooling rather than bespoke malware. They bypassed User Account Control, enabled Remote Desktop, and created a local account for persistent access. A PowerShell payload disabled Microsoft Defender, and the attacker used WMI to move laterally to more than a dozen systems. Symantec noted that "the operator began deploying the ransomware payload across the victim's network using PsExec running as SYSTEM," a description that captures how thoroughly this campaign leaned on native administration methods.

For remote access and tunneling the operator deployed revsocks, Chisel renamed as chrome.exe, and a Cloudflare Tunnel client, building redundant channels back out of the environment. This living-off-the-land approach is deliberate. Tools like PsExec, WMI, and bitsadmin are trusted binaries that blend into normal administrative traffic, and open-source tunnelers are cheap to swap when one gets blocked. The defensive implication is that signature-based detection alone will miss this. Catching it requires behavioral monitoring that flags the sequence of actions, a web server account spawning PowerShell, Defender being disabled, PsExec fanning out as SYSTEM, rather than any single malicious file.

A modern encryption engine built in Rust

The payload itself reflects current ransomware engineering. Spirals is written in Rust, the language a growing number of crews have adopted for its performance and cross-platform reach. It generates per-file AES-128 keys and protects them with an attacker-controlled ECDH P-256 public key, a hybrid scheme that makes recovery without the operator's private key mathematically infeasible. For files larger than 5MB it uses intermittent encryption across jittered chunks, scrambling enough of each file to render it unusable while skipping portions to finish faster.

Intermittent encryption is the detail worth dwelling on. By encrypting only slices of large files, the ransomware dramatically cuts the time and disk activity needed to lock a network, which shrinks the window in which behavioral tooling might catch a mass-encryption event in progress. It is a direct optimization for the speed that defines this whole operation. The ransom note, dropped as RECOVERY_SECTION.log, points victims to a Tor negotiation portal. Everything about the build, from the language choice to the partial-encryption strategy, is tuned to complete the impact phase before defenders can react, which is consistent with the sub-24-hour timeline Symantec observed.

Double extortion on a six-day clock

Spirals runs the double-extortion model that has become standard practice. Before encrypting, the operator stole data, and the ransom demand threatens to publish it within six days unless the victim pays, with negotiations routed through a Tor portal. The six-day exposure window is a pressure tactic, engineered to force a decision before the target has fully scoped the breach or restored operations from backup. Data theft also means that even a flawless backup-and-restore recovery does not resolve the incident, because the stolen files remain a live disclosure and regulatory risk.

For enterprise leaders, that changes the calculus of resilience. Backups defeat the encryption half of the attack and do nothing for the extortion half, so the plan has to account for both. We would pressure-test the assumption that a strong recovery capability alone is sufficient, and make sure legal, communications, and regulatory notification workflows are rehearsed rather than improvised under a six-day countdown. The organizations that fare best against crews like Spirals are the ones that have already decided how they will handle stolen-data extortion before it happens, because the timeline the attacker sets leaves no space to figure it out live.

What defenders should take from this

Spirals is a single documented intrusion, and its value is as a representative data point rather than a unique threat. It confirms that the fast, hands-on, living-off-the-land ransomware playbook has matured to the point where a competent operator can own a network in a day using an exposed web server and mostly legitimate tools. The individual techniques are all known. Their combination and the speed of execution are what defenders need to internalize, because each of these steps is stoppable if it is seen in time.

The practical priorities follow directly from the attack chain. Reduce the internet-facing attack surface, especially forgotten IIS and web application servers, and make sure they are covered by endpoint detection. Deploy behavioral monitoring that alerts on the tell-tale sequence of UAC bypass, Defender tampering, and PsExec running as SYSTEM. Tighten local-account creation and RDP enablement so those events generate alerts rather than silence. And rehearse an incident response plan that assumes hours of warning, not days. Against an adversary optimized for speed, the defenders who win are the ones who have already compressed their own reaction time to match.

Tagged#news#security#cybersecurity#breach#cisa#ransomware#zero-day#supply-chain#ai-security#spirals#symantec#rust-ransomware#iis#web-shell#living-off-the-land#double-extortion#intermittent-encryption