New Spirals Ransomware Launches Rapid Encryption Attack on Company Networks in 24 Hours

www.news4hackers.com-new-spirals-ransomware-launches-rapid-encryption-attack-on-company-networks-in-24-hours-new-spirals-ransomware-launches-rapid-encryption-attack-on-company-networks-in-24-hours

New Spirals ransomware executes full-scale breach within 24-hour window

Attack Vector and Initial Compromise

A previously unidentified ransomware group designated as Spirals executed a comprehensive cyberattack, completing the entire lifecycle from initial access to data exfiltration and encryption within a single day. The incident occurred in June and targeted an IT services company in South Asia following the exploitation of an Internet Information Services (IIS) server exposed to the public internet.

Malware Deployment and Lateral Movement

Security researchers from Symantec’s Threat Hunter Team identified the attack vector as an ASP.NET web shell uploaded to the compromised server after the threat actor gained entry. The attacker then bypassed User Account Control (UAC) mechanisms, activated Remote Desktop Protocol, and established a local administrative account to ensure ongoing access.

Credential Extraction and Security Disabling

Additionally, the malicious actor extracted credentials by dumping the SAM registry hive and memory from the LSASS process. The intruder attempted to neutralize endpoint security measures by disabling Microsoft Defender, removing its threat databases, and terminating processes linked to 23 critical systems including Veeam, VMware, Hyper-V, SQL Server, Oracle, and PostgreSQL.

Ransomware Execution and Encryption

This preparatory phase enabled the deployment of the ransomware payload, which was executed less than 24 hours after the initial compromise. The Spirals malware, developed using the Rust programming language, employs AES-128 encryption augmented by an attacker-controlled ECDH P-256 public key. It utilizes intermittent encryption for files exceeding 5MB to optimize speed.

Ransom Note and Deadline

A ransom note titled RECOVERY_SECTION.log was placed on the C:\\ drive, directing victims to contact the attackers for decryption instructions. The threat included a 6-day deadline for payment, with a warning of data exposure if demands were unmet.

Analysis and Detection

Symantec’s analysis confirmed the presence of Spirals in a single confirmed incident, leaving uncertainty about whether this represents a new cybercrime operation or a tailored attack against the specific IT services firm. The report includes network indicators and file hashes to assist organizations in detecting and mitigating potential threats from this group.

Network and Technical Details

The attack involved lateral movement across multiple systems via Windows Management Instrumentation (WMI), with the establishment of redundant remote access channels using tools such as revsocks, Chisel, and Cloudflare tunnels. The ransomware deployment utilized a PowerShell script to disable security protections and initiate encryption.

Malware Propagation

The payload, disguised as a legitimate Windows utility (bitsadmin.exe), leveraged PsExec with SYSTEM-level privileges to propagate across the network. Technical details reveal the ransomware’s ability to bypass standard security controls and its focus on critical infrastructure.

Recommendations for Enterprises

The incident underscores the urgency for enterprises to implement robust endpoint protection and proactive threat detection strategies. Organizations are advised to review network configurations, monitor for suspicious activity related to IIS servers, and ensure comprehensive backup solutions are in place to mitigate risks associated with ransomware attacks.

According to Symantec’s Threat Hunter Team, the Spirals ransomware represents a sophisticated threat requiring immediate attention from cybersecurity professionals.


Blog Image

About Author

en_USEnglish