Under 24 Hours: What the Spirals Ransomware Case Teaches Us About Speed
At 22:21 on 16 June 2026, an internet-facing IIS server accepted a single web shell. Less than 24 hours later, the entire network was encrypted, the backups were dead, and a six-day countdown to a data leak had already started.
No zero-day. No novel malware breakthrough. Just a fast, disciplined operator walking through doors that were already open.
Symantec’s threat intelligence team identified the group as Spirals. Although only one confirmed case has been documented, the techniques used should concern anyone who still measures ransomware dwell time in weeks. In this instance, the attack progressed within hours.
What happened
The victim was an IT services firm in South Asia. The attacker gained access through an internet-exposed IIS web server by uploading an ASP.NET web shell. They then operated directly through the IIS worker process, without relying on phishing, malware attachments, or user interaction.
The interactive session that followed lasted roughly three hours. In that window, the operator established persistence, harvested credentials, disabled defences and moved laterally across the estate. Encryption followed within the same 24-hour period, closing with a double-extortion demand: pay, or the stolen data will be published in six days.
The whole intrusion is a masterclass in economy. Every action served the two goals that matter to a ransomware operator — get domain-wide reach and make recovery impossible.
The kill chain, mapped to Microsoft controls
The reason this case is worth your time is not that the tooling was exotic — it wasn’t. It’s that almost every step maps cleanly to a Microsoft control most organisations already license but haven’t switched on.
| Attacker move | What they did | Where you catch or stop it |
|---|---|---|
| Initial access | Exposed IIS + ASP.NET web shell | Defender for Endpoint web shell detection; Attack Surface Reduction |
| Privilege escalation | UAC bypass, enabled RDP, created a local account | ASR rules; MDE alerts on RDP enablement and local admin creation |
| Credential theft | SAM hive dump; LSASS via rundll32.exe + comsvcs.dll |
Credential Guard; ASR rule “Block credential stealing from lsass.exe” |
| C2 / tunnelling | revsocks on port 443, renamed Cloudflare tunnel binary, Chisel | Egress filtering; Defender for Cloud Apps; anomalous outbound on 443 |
| Lateral movement | WMI to 12+ hosts using an abused domain admin account | Tiered admin model; WMI activity hunting; Entra ID Protection |
| Defence evasion | PowerShell disabled Defender and wiped its definitions | Tamper Protection |
| Backup destruction | Killed 23 backup and database services (Veeam, VMware, Hyper-V, SQL Server, Oracle, PostgreSQL) | Immutable / offline backups; service-stop alerting |
| Encryption | Rust payload, per-file AES-128 wrapped with ECDH P-256, intermittent encryption above 5 MB, deployed via PsExec as SYSTEM masquerading as bitsadmin.exe |
Masquerading detection; PsExec-as-SYSTEM hunting |
Review the table and note that few elements are new. The AES-128 / ECDH P-256 encryption scheme is standard. Intermittent encryption above 5 MB is a speed optimization rather than a cryptographic innovation. The operator’s discipline, rather than their toolkit, was the distinguishing factor.
The three things that actually mattered
Strip away the detail and three failures made this attack possible. Fix these three and Spirals stalls.
-
The front door was open. An exposed IIS server is the entire premise of the intrusion. There is no attack without it. Attack surface reduction beats detection every time, you cannot be popped through a service that isn’t reachable. Enumerate what you have facing the internet and ask, for each one, whether it truly needs to be there.
-
Tamper Protection wasn’t enforced. A single PowerShell payload switched Defender off and removed its threat definitions. Tamper Protection exists precisely to stop a compromised account from doing that, and enforcing it centrally should be the goal. If it isnt set locally thats a risk, assume it can be undone.
-
The backups were online and reachable. Twenty-three backup, database and virtualisation vendors were searched and were terminated in minutes, by the same privileged account the attacker had already stolen. If your backups can be stopped by a compromised admin, you do not have backups, you have a copy that dies with everything else. Immutable and offline recovery points are the difference between a bad week and an existential one.
Your 30-minute checklist
You do not need a dedicated project to address these issues. Set aside thirty minutes this week to review and complete the checklist.
- Enumerate every internet-facing IIS and web server. For each, confirm it genuinely needs to be exposed.
- Confirm Defender Tamper Protection is enforced centrally, not set locally.
- Enable the key ASR rules: block credential theft from LSASS, block web shell creation, and audit/block PsExec and WMI process creation.
- Verify backups are immutable or offline, and that a compromised domain admin account cannot stop or delete them.
- Hunt for the tell-tale steps: RDP enablement, new local accounts, and LSASS dumps via
comsvcs.dll.
The takeaway
Dwell time isn’t measured in weeks any more; it’s measured in hours, and nobody sent a memo. Your detection budget shrank while your surface area stayed the same.
The good news is that the posture that currently stops Spirals is the posture that stops everything fast-moving: reduce your attack surface, harden identity, and protect your backups so they survive if an account gets compromised. None of it is exotic. Most of it, you already own.
A note on the indicators: Symantec has confirmed only a single Spirals case to date, so treat this as a warning shot case study rather than evidence of a widespread campaign. The behavioural weaknesses it exposes are what matter, the next fast operator will arrive under a different name.
Next: turn this into detections.
Knowing the kill chain is half the job. The other half is having the tripwires in place before the next operator shows up.
Sources: Symantec Threat Intelligence — Spirals ransomware · BleepingComputer.