Spirals ransomware locks down victim systems in under 24 hours

A previously unknown ransomware strain called Spirals was used last month in an attack against an IT services company in South Asia, where attackers went from initial access to data theft and encrypting the network in less than 24 hours, according to Symantec’s Threat Hunter Team.

Spirals ransomware

Spirals encrypts files quickly after gaining a foothold

Spirals is written in Rust and encrypts files using a separate AES-128 key per file, each wrapped with an attacker-controlled ECDH P-256 public key. To speed up encryption, files larger than 5 MB are encrypted in chunks.

Victims were left with a ransom note, RECOVERY_SECTION.log, directing them to a Tor negotiation site and threatening to leak stolen data within six days if no payment was made.

The attackers gained initial access by compromising an internet-facing IIS web server and uploading an ASP.NET web shell. From there, they ran commands through the IIS worker process to open an interactive session, escalating privileges with a User Account Control (UAC) bypass, turning on Remote Desktop Protocol (RDP), and creating a local account to maintain persistent access.

Credential dumping and tunneling expanded the intrusion

“Credential material was harvested by dumping the Security Account Manager (SAM) hive to a password-protected archive. Later, during WMI-based lateral movement activities, the attackers also dumped LSASS process memory on multiple machines using rundll32.exe and comsvcs.dll,” researchers explained.

To keep multiple lines of communication open with the compromised network, they set up a reverse SOCKS proxy, a renamed copy of the Chisel tunneling tool disguised as chrome.exe, and a Cloudflare Tunnel client. Some of the tools used in the attack were hosted externally with .jpg file extensions, apparently to dodge basic file-type filtering.

The operators then used PsExec, running as SYSTEM, to push the same PowerShell payload to a long list of hosts, hitting new targets every few seconds for about half an hour.

“The payload was named bitsadmin.exe, likely to masquerade as the legitimate Windows utility associated with the Background Intelligent Transfer Service,” they noted.

That payload disabled Windows Defender and stopped services tied to 23 backup, database, and virtualization products, including Veeam, VMware, Hyper-V, SQL Server, Oracle, and PostgreSQL, clearing the way for the ransomware to encrypt files.

“While we have so far only seen this ransomware on one victim network, its capabilities and stealth point to the actors behind it being skilled operators who could easily launch more wide-ranging campaigns,” Symantec added.

The company has shared indicators of compromise tied to the attack for organizations wanting to check their own environments for related activity.

Don't miss