Spirals ransomware: from access to encryption in under 24 hours

AI Overview

Symantec’s Threat Hunter Team documented a new ransomware family called Spirals that went from initial access to data theft and encryption in under 24 hours. Before encrypting, the operator stopped services belonging to 23 backup, database and virtualization products. Symantec has seen one case so far and says it is unclear whether Spirals is built for wider use.

Juan Ricardo Palacio, Co-Founder of HelpRansomware

Juan Ricardo Palacio

Co-Founder and CEO for the Americas, HelpRansomware

Electronic engineer and Co-Founder of HelpRansomware, with 25+ years in cybersecurity, digital forensics and ransomware incident response.

A ransomware operator does not need weeks inside a network. In a case documented by Symantec, one needed less than a day.

Researchers at Symantec’s Threat Hunter Team report that a new actor called Spirals breached an IT services firm in South Asia in June 2026, stole data and encrypted the network in under 24 hours. Entry was an Internet Information Services server exposed on the public web. Before the encryption stage, a PowerShell payload disabled Microsoft Defender and stopped services tied to 23 backup, database and virtualization products, including Veeam, VMware, Hyper-V, SQL Server, Oracle and PostgreSQL. Symantec has observed Spirals in a single case so far.

Your backup service is part of the attack surface

Spirals did not fail to beat the backups: it switched them off. A PowerShell payload stopped services for 23 backup, database and virtualization products before any file was encrypted. A backup that can be stopped with domain credentials is not a recovery guarantee.

What Symantec documented

The reported intrusión chain, according to the Threat Hunter Team research:

  • Initial access through an Internet Information Services server published to the internet, followed by an ASP.NET web shell.
  • User Account Control bypass, Remote Desktop enabled and a local account created for persistence.
  • SAM registry hive and LSASS process memory dumped in an attempt to extract credentials.
  • WMI used to move laterally to more than a dozen systems, with revsocks, Chisel and Cloudflare tunnels as redundant remote access.

The numbers of the Spirals case

24
hours from initial access to encryption
23
backup, database and virtualization products stopped
12+
systems reached through WMI lateral movement
6
days before threatened data exposure

All figures come from the Symantec Threat Hunter Team analysis of a single intrusión at an IT services firm in South Asia in June 2026. Symantec notes it has seen Spirals in one case only, so it is not yet clear whether the family is intended for broader cybercrime deployment or was a custom payload built for this specific attack.

How the payload hid in plain sight

The operator began deploying the ransomware payload across the victim’s network using PsExec running as SYSTEM. The payload was named bitsadmin.exe, likely to masquerade as the legitimate Windows utility associated with the Background Intelligent Transfer Service.

Symantec Threat Hunter Team

A 24 hour intrusión, step by step

Speed is the defining feature of this case. The compression of the whole chain into a single day removes the response window that many playbooks assume. For the wider pattern, see how a ransomware attack usually unfolds. What follows is the sequence as described by Symantec. For the wider pattern, see how a ransomware attack usually unfolds.

Hour 0
An Internet Information Services server exposed on the public web is compromised and an ASP.NET web shell is uploaded.
Early hours
The operator bypasses User Account Control, enables Remote Desktop and creates a local account, then dumps the SAM hive and LSASS memory for credentials.
Mid intrusión
WMI is used to move laterally to more than a dozen systems, while revsocks, Chisel and Cloudflare tunnels provide redundant remote access.
Before encryption
A PowerShell payload disables Microsoft Defender, removes its threat definitions and stops services for 23 backup, database and virtualization products.
Under 24 hours
PsExec deploys the payload as SYSTEM under the name bitsadmin.exe, files are encrypted and a six day exposure deadline is set.

Where the time went

The Spirals case in four numbers

Symantec Threat Hunter Team, June 2026 intrusión

Bar chart showing 24 hours to encryption, 23 services stopped, 12 systems reached via WMI and a 6 day exposure deadline in the Spirals case.

📊 Read it this way: every figure comes from one intrusion documented by Symantec, not from a campaign. The speed, not the volume, is the finding.

What defends against this pattern

The countermeasures below map to the specific steps Symantec observed, rather than to ransomware in general. Each one closes a gap this operator actually used.

Control Why it matters against Spirals Gap it closes
Immutable or offline backup The operator stopped services for 23 backup and database products Backups reachable with domain credentials
Internet facing asset inventory Entry was an IIS server published to the web Exposed services nobody is tracking
EDR tamper protection A PowerShell payload disabled Defender and removed its definitions Security tooling that can be switched off
Egress and tunnel monitoring revsocks, Chisel and Cloudflare tunnels gave redundant access Outbound channels that look legitimate

What goes wrong when the chain is this fast

Most recovery plans assume time to notice, escalate and contain. A sub 24 hour chain removes that assumption. These are the failure modes the Spirals case exposes.

  • ⛔ Treating backup as a recovery guarantee when the backup service can be stopped from the same network.
  • ⛔ Relying on endpoint detection alone, when the operator disables Defender and removes its definitions before encrypting.
  • ⛔ Planning for a response window of days, when the whole intrusión closed in under 24 hours.
  • ⛔ Leaving an internet facing server published without knowing it is there.
  • ⛔ Focusing on restoring files and forgetting the data theft stage, which still triggers notification duties.

Restoring files does not undo the data theft

Spirals exfiltrated data before encrypting and set a six day deadline for public exposure. Even a clean restore from backup leaves the stolen copy in the operator’s hands, with the legal and reputational duties that follow. Treat the theft as certain and plan the notification path alongside the technical one.

What to do this week

None of the following requires a new budget line. They are the specific gaps this intrusión used, in the order that reduces exposure fastest. For the full checklist, see our guide on preventing a ransomware attack.

  • ✅ Keep at least one backup copy immutable or offline, outside the reach of domain credentials.
  • ✅ Inventory every internet facing service and remove or patch what does not need to be published.
  • ✅ Enable tamper protection so endpoint security cannot be disabled from a compromised host.
  • ✅ Alert on PsExec, bitsadmin and WMI process creation seen across multiple hosts in a short window.
  • ✅ Watch for tunnelling utilities such as revsocks and Chisel, and for unexpected Cloudflare tunnels.
  • ✅ Rehearse a restore against the assumption that the backup server is already compromised.

Symantec published the indicators

The Symantec report includes network indicators and file hashes from the documented Spirals attack, so defenders can hunt for the pattern before it reaches the encryption stage. If you are responding to an active incident, preserve the ransom note and one encrypted sample before reimaging anything: it is the starting point for recovering encrypted files. It is also the starting point for recovering encrypted files.


Sources

Juan Ricardo Palacio, Co-Founder of HelpRansomware

Juan Ricardo Palacio

Co-Founder and CEO for the Americas, HelpRansomware

Juan Ricardo Palacio is an electronic engineer, entrepreneur, and specialist in telecommunications, cybersecurity, and digital forensics, with more than 25 years of professional experience. As Co-Founder of HelpRansomware, he works across cyber resilience, ransomware incident response, data recovery, cryptography, and reverse engineering, supporting companies and organizations through high-impact cyber incidents.

📰 Featured and quoted in Forbes Georgia, Business Insider Africa, LA Weekly, and Il Sole 24 Ore.

📅 Last updated: 16 July 2026

Leave a Comment

Your email address will not be published. Required fields are marked *