New Spirals Ransomware Executes Rapid Double Extortion Attack in South Asia

New Spirals Ransomware Executes Rapid Double Extortion Attack in South Asia

First seen 16 Jul 2026, 11:22 UTC BleepingcomputerPcquestScworldwww.security.com 89% similarity 71.0

Article Content

Browse articles
ThreatCluster

In June 2026, a new ransomware family named Spirals executed a double extortion attack against an IT services company in South Asia, completing the operation in under 24 hours. The attackers gained initial access by compromising an exposed IIS web server and uploaded an ASP.NET web shell. They established persistent access, disabled security software, and dumped credential information from the Security Account Manager (SAM) and LSASS processes. The ransomware, written in Rust, was deployed using PsExec with a disguised executable named bitsadmin.exe. It encrypted files and threatened to publish stolen data if the ransom was not paid within six days. The attack highlights a shift in ransomware tactics, emphasizing the need for rapid response measures. Only one confirmed incident of Spirals has been reported so far.

Key Points: • Spirals ransomware can encrypt a network in under 24 hours. • Attackers used a compromised IIS server and ASP.NET web shell for initial access. • The ransomware employs double extortion tactics, threatening data publication.

ThreatCluster AI

Timeline

2026-06-01
Initial access gained via IIS server compromise
Attackers exploited an exposed IIS server, uploading an ASP.NET web shell to gain access.
Bleepingcomputer
2026-06-01
Persistent access established
The attackers escalated privileges, enabled Remote Desktop, and dumped credential data from SAM and LSASS.
Pcquest
2026-06-01
Ransomware deployed across the network
Using PsExec, the Spirals ransomware payload was deployed, encrypting files on impacted machines.
Scworld
2026-06-01
Ransom note left for victims
A ransom note named RECOVERY_SECTION.log was dropped, threatening data publication within six days if not paid.
Security.com

Community

Browse all →