New Spirals Ransomware Targets IT Services Firm in South Asia

New Spirals Ransomware Targets IT Services Firm in South Asia

First seen 16 Jul 2026, 11:22 UTC Bleepingcomputerwww.security.com 87% similarity 69.5

Article Content

Browse articles
ThreatCluster

In June 2026, a new ransomware family named Spirals executed a double extortion attack on an IT services company in South Asia. The attackers gained initial access by compromising an exposed IIS web server and uploaded an ASP.NET web shell. Within 24 hours, they deployed the ransomware payload, which masqueraded as bitsadmin.exe, encrypting files across the network. The attackers also harvested credentials by dumping the Security Account Manager (SAM) hive and LSASS memory. They established persistent access through various methods, including a reverse SOCKS proxy and a Cloudflare tunnel. The ransom note, dropped as RECOVERY_SECTION.log, threatened to publish stolen data if the ransom was not paid within six days. The ransomware is noted for its Rust-based architecture and advanced evasion techniques. As of now, only one confirmed attack has been observed, leaving its broader deployment unclear.

Key Points: • Spirals ransomware completed a corporate intrusion in under 24 hours. • Attackers exploited an IIS server and used an ASP.NET web shell for initial access. • The ransom note threatens data exposure within six days if payment is not made.

ThreatCluster AI

Timeline

2026-06-01
Initial access gained
Attackers compromised an exposed IIS web server and uploaded an ASP.NET web shell.
Bleepingcomputer
2026-06-01
Ransomware deployed
The Spirals ransomware payload was deployed using PsExec, encrypting files on impacted machines.
Bleepingcomputer
2026-06-01
Credential harvesting
Attackers dumped the SAM hive and LSASS memory to extract credentials for lateral movement.
Bleepingcomputer
2026-06-01
Ransom note issued
A ransom note named RECOVERY_SECTION.log was dropped, threatening data exposure within six days.
www.security.com

Community

Browse all →