Symantec has documented a Spirals ransomware intrusion that moved from an internet-facing IIS server to network-wide encryption in less than 24 hours. The June 2026 attack affected one IT services company in South Asia, and there is no evidence yet of a mass campaign. The speed still matters: defenders who expose Windows web servers should look for the published payload hash, unexpected tunnel tools, credential dumping, and PsExec activity before encryption begins.
How the Spirals attack unfolded
The attackers first compromised a public IIS server and uploaded an ASP.NET web shell. The primary report does not identify the initial vulnerability, so teams should not assume that one specific IIS patch explains the intrusion. After entry, the operator created several access paths and moved across more than a dozen systems before deploying the encryptor.
| Stage | Confirmed activity |
|---|---|
| Initial access | An internet-facing IIS server ran an ASP.NET web shell. No specific CVE was named. |
| Persistence and remote access | The operator enabled RDP, created a local account, and deployed revsocks, Chisel, and a renamed Cloudflare Tunnel client. |
| Credential theft | The attack dumped the SAM registry hive and later used rundll32.exe with comsvcs.dll to obtain LSASS memory on multiple hosts. |
| Defense and recovery disruption | A PowerShell payload disabled Defender protections and stopped services associated with backup, database, mail, and virtualization products. |
| Network encryption | PsExec running as SYSTEM pushed the Rust-based encryptor, disguised as bitsadmin.exe, across the domain. |
The operator placed the payload in Windows, Desktop, SYSVOL, network-share, and Temp locations. Files over 5 MB were encrypted in intermittent chunks to increase speed. A note named C:\RECOVERY_SECTION.log threatened to publish stolen data after six days, making this a double-extortion incident rather than encryption alone.
Spirals ransomware indicators to verify
A familiar filename is not proof of infection. Windows includes a legitimate Microsoft-signed bitsadmin.exe; verify its signature, hash, parent process, creation time, and surrounding activity. The exact ransomware hash and the combination of tunneling, credential access, and rapid lateral movement are stronger evidence.
| Indicator | What it means |
|---|---|
0f9574dc38e5c34a31153f0bcc603c6ec29cb3bf65c3d25380dbe86d42573141 |
SHA-256 of the observed Spirals payload, seen as bitsadmin.exe and vbr2116.exe. |
C:\RECOVERY_SECTION.log |
Ransom note written to the system drive after encryption. |
4cab935d0ec400059a3fcdc95b6623efdd51a61dff401fba8d5da244cc2de649 |
SHA-256 of the observed revsocks.exe reverse proxy. |
7f0d49b11d0a3697685622ce510c570199bf2dc76515b3f9a6b6735de8c9134b |
SHA-256 of the observed tunn.exe tool. |
185.141.216[.]194 |
External address used to stage tools and maintain attacker access. |
computer.kplus[.]com and beta.padmin[.]com |
Defanged staging domains reported in the incident. |
Who needs to act
The confirmed victim was an organization with a public IIS server and a Windows domain. Home users are not known to be targeted by a broad Spirals campaign. Organizations should prioritize a hunt when IIS spawns unexpected cmd.exe or powershell.exe, new accounts or RDP access appear, tunnel binaries run from web or Tasks folders, or WMI and PsExec suddenly fan out across many systems.
Do not wait for the ransom note if precursor evidence appears. The observed operator had already stolen credential material and established redundant remote-access channels before encryption, so deleting only the final payload would not restore trust.
What to do now
- Isolate affected servers and segments. Remove them from production, VPN, shared storage, and management networks. If encryption is active, contain the spread first.
- Preserve evidence. Collect IIS, Windows Security, PowerShell, Defender, RDP, WMI, PsExec, firewall, proxy, and EDR records. Image critical hosts before deleting tools when incident-response staff can do so safely.
- Rotate exposed credentials from a clean system. Reset domain-admin, service, backup, and other accounts used on compromised hosts; invalidate active sessions and review newly created local accounts.
- Hunt laterally. Search for the published hashes, the defanged infrastructure,
RECOVERY_SECTION.log, unexpected tunnel clients,rundll32.exe comsvcs.dllcredential dumping, and PsExec deployment from a single host. - Protect recovery systems. Disconnect backup repositories from compromised credentials, verify immutable or offline copies, and restore only into a clean, segmented environment.
- Treat data theft separately. File decryption or endpoint cleanup cannot undo stolen credentials or files. Involve the incident-response owner, legal counsel, insurer, and relevant authorities as required.
For an isolated unmanaged Windows workstation where a suspicious executable ran, a structured post-malware Windows audit can help map persistence and account risk. A full Gridinsoft Anti-Malware scan can identify related endpoint artifacts, but it cannot decrypt Spirals files or prove that the wider network is clean.
What the report does not prove
- Only one victim network is confirmed; a large Spirals campaign has not been established.
- The report does not name the IIS weakness used for initial access.
- The filename
bitsadmin.exealone is not malicious evidence. - No public decryptor or guaranteed recovery method is documented.
The case is closer to a fast hands-on-keyboard network intrusion than a consumer ransomware download. For comparison, GigaWiper can shift from surveillance to wiping or fake ransomware, while Spirals used credential theft, lateral movement, and service disruption to prepare a coordinated encryption event.
References
- Bill Toulas. “New Spirals ransomware encrypts victim network in under 24 hours.” BleepingComputer, July 16, 2026; reporting on the Symantec Threat Hunter Team analysis. incident report summary.
- Cybersecurity and Infrastructure Security Agency. “#StopRansomware Guide.” CISA, accessed July 16, 2026. ransomware response guidance.

