www.security.com
New Spirals Ransomware Executes Rapid Double Extortion Attack in South Asia
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
In June 2026, a new ransomware family named Spirals executed a double extortion attack against an IT services company in South Asia, completing the operation in under 24 hours. The attackers gained initial access by compromising an exposed IIS web server and uploaded an ASP.NET web shell. They established persistent access, disabled security software, and dumped credential information from the Security Account Manager (SAM) and LSASS processes. The ransomware, written in Rust, was deployed using PsExec with a disguised executable named bitsadmin.exe. It encrypted files and threatened to publish stolen data if the ransom was not paid within six days. The attack highlights a shift in ransomware tactics, emphasizing the need for rapid response measures. Only one confirmed incident of Spirals has been reported so far.
Key Points: • Spirals ransomware can encrypt a network in under 24 hours. • Attackers used a compromised IIS server and ASP.NET web shell for initial access. • The ransomware employs double extortion tactics, threatening data publication.