A previously unknown ransomware strain called Spirals was used in an attack against an IT services company in South Asia, where attackers went from initial access to data theft and network-wide encryption in less than 24 hours, according to Symantec’s Threat Hunter Team.
Written in Rust, Spirals encrypts files using a separate AES-128 key per file, each wrapped with an attacker-controlled ECDH P-256 public key. Files larger than 5 MB are encrypted in chunks for speed. Victims receive a ransom note directing them to a Tor negotiation site with a threat to leak stolen data within six days if no payment is made.
The attackers gained initial access by compromising an internet-facing IIS web server and uploading an ASP.NET web shell. They escalated privileges using a User Account Control bypass, enabled Remote Desktop Protocol, and created a local account for persistent access. Credential harvesting included dumping the Security Account Manager hive and LSASS process memory across multiple machines.
“While we have so far only seen this ransomware on one victim network, its capabilities and stealth point to the actors behind it being skilled operators who could easily launch more wide-ranging campaigns,” Symantec warned. The company has shared indicators of compromise for organizations to check their environments.

