Full Report
Attack using previously unseen ransomware payload occurred in June 2026. The skill of its operators suggests wider campaigns may follow.
Analysis Summary
# Incident Report: Spirals Ransomware Attack on South Asian IT Services Firm
## Executive Summary
In June 2026, a South Asian IT services company was targeted by a sophisticated double-extortion attack using a previously unseen Rust-based ransomware named "Spirals." The attackers gained access via a web shell and moved with extreme speed, deploying the ransomware across the network in less than 24 hours. The operation was characterized by advanced stealth techniques, including the use of multiple redundant network tunnels and the masquerading of malicious binaries as legitimate Windows utilities.
## Incident Details
- **Discovery Date:** June 16, 2026
- **Incident Date:** June 16–17, 2026
- **Affected Organization:** Not disclosed
- **Sector:** IT Services
- **Geography:** South Asia
## Timeline of Events
### Initial Access
- **Date/Time:** June 16, 2026, 22:21 local time
- **Vector:** Exploitation of an internet-facing IIS web server.
- **Details:** Attackers uploaded an ASP.NET web shell to establish a foothold and immediately began an interactive session.
### Lateral Movement
- **Progression:** Within three hours of access, the attackers performed internal reconnaissance and moved laterally using WMI (Windows Management Instrumentation) and PsExec.
- **Persistence:** Created a local account, enabled RDP, and deployed multiple tunneling tools (Revsocks, Chisel, and Cloudflare Tunnel) to ensure redundant external access.
### Data Exfiltration/Impact
- **Impact:** Files across the network were encrypted using a Rust-based payload named `bitsadmin.exe`.
- **Double Extortion:** Attackers threatened to leak stolen data via a dedicated Tor onion site if the ransom was not paid within six days.
### Detection & Response
- **Discovery:** Presence of unauthorized tunneling tools and sudden deployment of ransomware via PsExec.
- **Response Actions:** Investigators identified the use of a token impersonation tool and the dumping of SAM hives and LSASS memory.
## Attack Methodology
- **Initial Access:** ASP.NET web shell on IIS server.
- **Persistence:** Local account creation, RDP enablement, and renamed Cloudflare Tunnel binary.
- **Privilege Escalation:** UAC bypass and token impersonation (`tokens.exe`).
- **Defense Evasion:** Uninstallation of security software (via `wmic` and `mpcmdrun.exe`), masquerading payloads as legitimate files (e.g., `bitsadmin.exe`, `chrome.exe`), and disguising tool downloads as `.jpg` files.
- **Credential Access:** Dumping SAM hives and LSASS process memory.
- **Discovery:** User and network share enumeration; listing program directories.
- **Lateral Movement:** WMI-based movement and execution via PsExec.
- **Collection:** Creation of password-protected archives of sensitive system hives.
- **Exfiltration:** Use of reverse-SOCKS proxies and encrypted tunnels.
- **Impact:** File encryption using AES-128 (with ECDH P-256) and data leak threats.
## Impact Assessment
- **Financial:** Unknown; potential ransom demand.
- **Data Breach:** Compromise of internal credentials and threat of public data release.
- **Operational:** Significant disruption due to network-wide encryption.
- **Reputational:** High risk due to the victim being an IT services provider.
## Indicators of Compromise
### Network Indicators (Defanged)
- 185.141.216[.]194
- hxxp://185.141.216[.]194/cd.jpg
- hxxps://computer.kplus[.]com/cd.zip
- hxxps://beta.padmin[.]com/mybenefits/Templates/cd.zip
### File Indicators (SHA256)
- `0f9574dc38e5c34a31153f0bcc603c6ec29cb3bf65c3d25380dbe86d42573141` (Spirals Ransomware)
- `4cab935d0ec400059a3fcdc95b6623efdd51a61dff401fba8d5da244cc2de649` (Revsocks)
- `7f0d49b11d0a3697685622ce510c570199bf2dc76515b3f9a6b6735de8c9134b` (Tunnel utility)
## Response Actions
- **Containment:** Identification and neutralization of the web shell and tunneling tools located in `\tasks\` and web production directories.
- **Eradication:** Removal of the unauthorized local account and decryption of the hijacked Cloudflare tunnel.
- **Recovery:** Restoration of encrypted systems from backups (if available).
## Lessons Learned
- **Speed is Critical:** Threat actors moved from initial access to full-scale encryption in under 24 hours.
- **Redundancy:** Attackers successfully used multiple distinct tunneling methods to bypass network controls.
- **Evasion Efficacy:** Simple renaming of files (e.g., `bitsadmin.exe`) still proves effective in bypassing basic behavioral alerting.
## Recommendations
- **Harden Web Servers:** Implement strict file integrity monitoring (FIM) on IIS directories to detect web shells.
- **Limit Administrative Tools:** Restrict the use of `PsExec`, `WMI`, and `wmic` to authorized administrative accounts only.
- **Endpoint Protection:** Enable tamper protection on security software to prevent unauthorized uninstallation.
- **Network Segmentation:** Inspect and restrict outbound traffic on port 443 to known-good endpoints to disrupt reverse proxies and tunnels.