Symantec’s Threat Hunter Team documented a new ransomware family called Spirals that went from initial access to data theft and encryption in under 24 hours. Before encrypting, the operator stopped services belonging to 23 backup, database and virtualization products. Symantec has seen one case so far and says it is unclear whether Spirals is built for wider use.
Juan Ricardo Palacio
Co-Founder and CEO for the Americas, HelpRansomware
Electronic engineer and Co-Founder of HelpRansomware, with 25+ years in cybersecurity, digital forensics and ransomware incident response.
A ransomware operator does not need weeks inside a network. In a case documented by Symantec, one needed less than a day.
Researchers at Symantec’s Threat Hunter Team report that a new actor called Spirals breached an IT services firm in South Asia in June 2026, stole data and encrypted the network in under 24 hours. Entry was an Internet Information Services server exposed on the public web. Before the encryption stage, a PowerShell payload disabled Microsoft Defender and stopped services tied to 23 backup, database and virtualization products, including Veeam, VMware, Hyper-V, SQL Server, Oracle and PostgreSQL. Symantec has observed Spirals in a single case so far.
Your backup service is part of the attack surface
Spirals did not fail to beat the backups: it switched them off. A PowerShell payload stopped services for 23 backup, database and virtualization products before any file was encrypted. A backup that can be stopped with domain credentials is not a recovery guarantee.
What Symantec documented
The reported intrusión chain, according to the Threat Hunter Team research:
- Initial access through an Internet Information Services server published to the internet, followed by an ASP.NET web shell.
- User Account Control bypass, Remote Desktop enabled and a local account created for persistence.
- SAM registry hive and LSASS process memory dumped in an attempt to extract credentials.
- WMI used to move laterally to more than a dozen systems, with revsocks, Chisel and Cloudflare tunnels as redundant remote access.
The numbers of the Spirals case
All figures come from the Symantec Threat Hunter Team analysis of a single intrusión at an IT services firm in South Asia in June 2026. Symantec notes it has seen Spirals in one case only, so it is not yet clear whether the family is intended for broader cybercrime deployment or was a custom payload built for this specific attack.
How the payload hid in plain sight
The operator began deploying the ransomware payload across the victim’s network using PsExec running as SYSTEM. The payload was named bitsadmin.exe, likely to masquerade as the legitimate Windows utility associated with the Background Intelligent Transfer Service.
A 24 hour intrusión, step by step
Speed is the defining feature of this case. The compression of the whole chain into a single day removes the response window that many playbooks assume. For the wider pattern, see how a ransomware attack usually unfolds. What follows is the sequence as described by Symantec. For the wider pattern, see how a ransomware attack usually unfolds.
Where the time went
The Spirals case in four numbers
Symantec Threat Hunter Team, June 2026 intrusión
What defends against this pattern
The countermeasures below map to the specific steps Symantec observed, rather than to ransomware in general. Each one closes a gap this operator actually used.
| Control | Why it matters against Spirals | Gap it closes |
|---|---|---|
| Immutable or offline backup | The operator stopped services for 23 backup and database products | Backups reachable with domain credentials |
| Internet facing asset inventory | Entry was an IIS server published to the web | Exposed services nobody is tracking |
| EDR tamper protection | A PowerShell payload disabled Defender and removed its definitions | Security tooling that can be switched off |
| Egress and tunnel monitoring | revsocks, Chisel and Cloudflare tunnels gave redundant access | Outbound channels that look legitimate |
What goes wrong when the chain is this fast
Most recovery plans assume time to notice, escalate and contain. A sub 24 hour chain removes that assumption. These are the failure modes the Spirals case exposes.
- ⛔ Treating backup as a recovery guarantee when the backup service can be stopped from the same network.
- ⛔ Relying on endpoint detection alone, when the operator disables Defender and removes its definitions before encrypting.
- ⛔ Planning for a response window of days, when the whole intrusión closed in under 24 hours.
- ⛔ Leaving an internet facing server published without knowing it is there.
- ⛔ Focusing on restoring files and forgetting the data theft stage, which still triggers notification duties.
Restoring files does not undo the data theft
Spirals exfiltrated data before encrypting and set a six day deadline for public exposure. Even a clean restore from backup leaves the stolen copy in the operator’s hands, with the legal and reputational duties that follow. Treat the theft as certain and plan the notification path alongside the technical one.
What to do this week
None of the following requires a new budget line. They are the specific gaps this intrusión used, in the order that reduces exposure fastest. For the full checklist, see our guide on preventing a ransomware attack.
- ✅ Keep at least one backup copy immutable or offline, outside the reach of domain credentials.
- ✅ Inventory every internet facing service and remove or patch what does not need to be published.
- ✅ Enable tamper protection so endpoint security cannot be disabled from a compromised host.
- ✅ Alert on PsExec, bitsadmin and WMI process creation seen across multiple hosts in a short window.
- ✅ Watch for tunnelling utilities such as revsocks and Chisel, and for unexpected Cloudflare tunnels.
- ✅ Rehearse a restore against the assumption that the backup server is already compromised.
Symantec published the indicators
The Symantec report includes network indicators and file hashes from the documented Spirals attack, so defenders can hunt for the pattern before it reaches the encryption stage. If you are responding to an active incident, preserve the ransom note and one encrypted sample before reimaging anything: it is the starting point for recovering encrypted files. It is also the starting point for recovering encrypted files.
Sources
Juan Ricardo Palacio
Co-Founder and CEO for the Americas, HelpRansomware
Juan Ricardo Palacio is an electronic engineer, entrepreneur, and specialist in telecommunications, cybersecurity, and digital forensics, with more than 25 years of professional experience. As Co-Founder of HelpRansomware, he works across cyber resilience, ransomware incident response, data recovery, cryptography, and reverse engineering, supporting companies and organizations through high-impact cyber incidents.
📰 Featured and quoted in Forbes Georgia, Business Insider Africa, LA Weekly, and Il Sole 24 Ore.
📅 Last updated: 16 July 2026


