Spirals Ransomware Uses IIS Web Shell and PsExec for Rapid Encryption
Key Takeaways A new Rust-based ransomware, “Spirals,” rapidly encrypted an IT services company’s network in South Asia in June 2026. Attackers leveraged an IIS web shell for initial...
Key Takeaways
- A new Rust-based ransomware, “Spirals,” rapidly encrypted an IT services company’s network in South Asia in June 2026.
- Attackers leveraged an IIS web shell for initial access, then used tunneling tools, privilege escalation, and PsExec for widespread deployment.
- The ransomware, designed for speed and evasion, disables security software, terminates critical services, and encrypts files using AES-128 and ECDH P-256.
- The threat actor behind Spirals remains unknown, but their operational sophistication suggests a highly capable group.
Unseen Spirals Ransomware Unleashes Rapid Encryption Campaign
A previously undocumented ransomware strain, dubbed “Spirals,” executed a swift and devastating attack against an IT services firm in South Asia in June 2026. Security researchers at Symantec’s Threat Hunter Team reported that the threat actors progressed from initial network compromise to full system encryption in less than 24 hours.
Table Of Content
The ransomware payload, developed in Rust, appears to be either an entirely new creation or custom-built for this specific, targeted operation. The identity of the group behind the Spirals ransomware campaign has not yet been determined.
Spirals Leverages IIS Web Shell and PsExec for Mass Deployment
The intrusion commenced on June 16 at 22:21 local time, when the attackers breached an internet-exposed IIS web server. They swiftly uploaded an ASP.NET web shell, establishing their initial foothold.
Within minutes of gaining access, the attackers deployed three distinct tunneling tools, including Chisel (masquerading as chrome.exe) and a Cloudflare tunnel client. These tools created redundant, covert communication channels to maintain persistence. A token impersonation utility was then introduced, likely facilitating the escalation of privileges within the compromised network.
During an intense three-hour “hands-on-keyboard” session, the operator utilized the IIS worker process to spawn cmd.exe and powershell.exe. They performed a User Account Control (UAC) bypass, enabled Remote Desktop Protocol (RDP), established a persistent local account, and extracted the Security Account Manager (SAM) hive. By 23:07, initial activities indicated active efforts to disable security software.
As detailed in the Spirals ransomware report, the attackers shifted to WMI-based lateral movement at 23:33. They compromised over a dozen machines within minutes by leveraging stolen domain administrator credentials. This rapid pace strongly suggests an automated, pre-planned targeting strategy rather than manual exploration.
On June 17, the threat actors changed their primary method for mass deployment to PsExec. Beginning around 14:12, a single compromised host distributed an identical base64-encoded PowerShell payload to network targets every few seconds for approximately 30 minutes.
This automated payload immediately disabled Windows Defender’s real-time monitoring and forcefully terminated more than 20 critical backup, database, and virtualization services, including Veeam, VMware, SQL Server, and Exchange. This action effectively cleared open file handles, preparing the systems for encryption.
The ransomware executable itself was named bitsadmin.exe, a deliberate attempt to impersonate a legitimate Windows utility. It was strategically placed across multiple network locations, including the SYSVOL domain scripts directory, ensuring automated propagation even to machines not directly targeted by the PsExec script.
Spirals is a sophisticated, full-featured Rust-based encryptor. It incorporates capabilities for defense evasion, automated lateral movement, process termination, and privilege escalation.
| Cryptographic Component | Implementation Specification | Target Objective |
| Symmetric Key | Per-file AES-128 | Secures the raw block data of targeted files |
| Asymmetric Wrapper | Attacker-controlled ECDH P-256 public key | Protects the local AES keys from decryption |
| Optimization Trick | Intermittent encryption of jittered chunks | Speeds up the locking cycle for files over 5 MB |
The ransomware leaves a local footprint to initiate ransom negotiations:
A ransom note is dropped across the system as C:RECOVERY_SECTION.log. This note threatens the public exposure of stolen corporate data within six days if the victim fails to pay. The note directs victims to a Tor negotiation portal, which Symantec confirmed explicitly identifies the threat family as “Spirals.”
While Spirals has only been observed in a single incident to date, its operational precision indicates a highly skilled actor capable of rapidly scaling attacks. The combination of layered tunneling infrastructure, credential harvesting via LSASS dumps (using rundll32.exe and comsvcs.dll), and domain-wide propagation via SYSVOL necessitates an immediate and robust defensive response.
Symantec’s indicators of compromise include dedicated staging infrastructure hosted at 185.141.216.194, along with two compromised domains used for hosting malicious payloads.
What You Should Do
- Web Shell Detection: Implement active monitoring for internet-facing web servers to detect unauthorized ASP.NET file modifications or unusual process creations originating from IIS worker processes.
- Behavioral Auditing: Configure immediate alerts for anomalous WMI and PsExec activity, particularly rapid, sequential connection attempts across internal network segments.
- Credential Protection: Harden endpoints against LSASS memory dumping tools and strictly limit the use of domain administrator accounts on machines other than domain controllers.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.