Spirals: New Stealthy Ransomware Deployed Against Asian IT Company
Spirals is a newly identified ransomware family deployed in a double extortion attack against an IT services company in South Asia in June 2026. The Rust-based ransomware exhibits advanced capabilities such as defense evasion, lateral movement, privilege escalation, and network-wide file encryption using AES-128. Initial access was gained through a compromised internet-facing IIS web server via an ASP.NET web shell. The attackers rapidly deployed the ransomware within 24 hours, established persistence with tunneling tools, disabled endpoint security, harvested credentials from SAM and LSASS, and used reverse-SOCKS proxies for covert command-and-control. The ransomware was distributed using PsExec and threatened data publication within six days. The threat actor remains unidentified, but the sophistication suggests potential for broader campaigns.
AI Analysis
Technical Summary
The Spirals ransomware is a sophisticated Rust-based malware family observed in a targeted double extortion attack against a South Asian IT services company. Attackers gained initial access through a compromised IIS web server using an ASP.NET web shell, enabling rapid deployment of ransomware within 24 hours. The malware employs multiple advanced techniques including defense evasion, lateral movement across the network, privilege escalation, credential dumping from SAM hive and LSASS processes, and persistence via multiple tunneling tools. Command-and-control communications are maintained covertly using reverse-SOCKS proxies. Network-wide ransomware distribution leveraged PsExec to encrypt files with AES-128 encryption keys. The attackers also threatened to publish stolen data within six days, indicating a double extortion strategy. No known threat actor attribution or public exploits are currently identified.
Potential Impact
The Spirals ransomware can cause significant operational disruption by encrypting files across a network and threatening data publication, which can lead to data loss, reputational damage, and financial impact. The use of advanced techniques such as privilege escalation, credential dumping, and disabling endpoint security increases the difficulty of detection and mitigation. The rapid deployment within 24 hours and use of lateral movement tools facilitate widespread infection. The double extortion tactic adds pressure on victims to pay ransom to prevent data leakage.
Mitigation Recommendations
No official patch or fix is available for this ransomware as it is malware rather than a software vulnerability. Organizations should focus on preventing initial access by securing internet-facing IIS web servers and detecting ASP.NET web shells. Monitoring for unusual use of tunneling tools, PsExec, and credential dumping activities can aid in early detection. Endpoint security solutions should be kept updated and configured to detect and block ransomware behaviors. Incident response plans should include procedures for containment and recovery from ransomware attacks. Given the threat actor is unidentified and no known exploits are public, vigilance and layered defense are critical.
Indicators of Compromise
- ip: 185.141.216.194
- hash: 26a15a6a9bea58e9ad2ada9a6c8606b5
- hash: e25c56bd13eff7280e493bf58501c47891fe63bf
- hash: 0f9574dc38e5c34a31153f0bcc603c6ec29cb3bf65c3d25380dbe86d42573141
- hash: 4cab935d0ec400059a3fcdc95b6623efdd51a61dff401fba8d5da244cc2de649
- hash: 7f0d49b11d0a3697685622ce510c570199bf2dc76515b3f9a6b6735de8c9134b
- hash: 83a7e51f3787ac5a8a9884edd0a58ddbef380969aa6529d282a461a1a614a892
- hash: 84b9a9a1668145df04faa3d0e118e2f0acbebd3d9d260baf3a355b44c815c22d
- hash: 862a3ca7e944ccf0ff3a6d556b34faade4b68343015c35a014a43725ac14a2a1
- hash: b5d598b00cc3a28cabc5812d9f762819334614bae452db4e7f23eefe7b081556
- url: https://beta.padmin.com/mybenefits/Templates/cd.zip
- url: https://computer.kplus.com/cd.zip
- domain: beta.padmin.com
- domain: computer.kplus.com
Spirals: New Stealthy Ransomware Deployed Against Asian IT Company
Description
Spirals is a newly identified ransomware family deployed in a double extortion attack against an IT services company in South Asia in June 2026. The Rust-based ransomware exhibits advanced capabilities such as defense evasion, lateral movement, privilege escalation, and network-wide file encryption using AES-128. Initial access was gained through a compromised internet-facing IIS web server via an ASP.NET web shell. The attackers rapidly deployed the ransomware within 24 hours, established persistence with tunneling tools, disabled endpoint security, harvested credentials from SAM and LSASS, and used reverse-SOCKS proxies for covert command-and-control. The ransomware was distributed using PsExec and threatened data publication within six days. The threat actor remains unidentified, but the sophistication suggests potential for broader campaigns.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Spirals ransomware is a sophisticated Rust-based malware family observed in a targeted double extortion attack against a South Asian IT services company. Attackers gained initial access through a compromised IIS web server using an ASP.NET web shell, enabling rapid deployment of ransomware within 24 hours. The malware employs multiple advanced techniques including defense evasion, lateral movement across the network, privilege escalation, credential dumping from SAM hive and LSASS processes, and persistence via multiple tunneling tools. Command-and-control communications are maintained covertly using reverse-SOCKS proxies. Network-wide ransomware distribution leveraged PsExec to encrypt files with AES-128 encryption keys. The attackers also threatened to publish stolen data within six days, indicating a double extortion strategy. No known threat actor attribution or public exploits are currently identified.
Potential Impact
The Spirals ransomware can cause significant operational disruption by encrypting files across a network and threatening data publication, which can lead to data loss, reputational damage, and financial impact. The use of advanced techniques such as privilege escalation, credential dumping, and disabling endpoint security increases the difficulty of detection and mitigation. The rapid deployment within 24 hours and use of lateral movement tools facilitate widespread infection. The double extortion tactic adds pressure on victims to pay ransom to prevent data leakage.
Mitigation Recommendations
No official patch or fix is available for this ransomware as it is malware rather than a software vulnerability. Organizations should focus on preventing initial access by securing internet-facing IIS web servers and detecting ASP.NET web shells. Monitoring for unusual use of tunneling tools, PsExec, and credential dumping activities can aid in early detection. Endpoint security solutions should be kept updated and configured to detect and block ransomware behaviors. Incident response plans should include procedures for containment and recovery from ransomware attacks. Given the threat actor is unidentified and no known exploits are public, vigilance and layered defense are critical.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.security.com/threat-intelligence/ransomware-spirals-extortion"]
- Adversary
- null
- Pulse Id
- 6a58c2ecd43c8e98d4bdd2e0
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip185.141.216.194 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash26a15a6a9bea58e9ad2ada9a6c8606b5 | — | |
hashe25c56bd13eff7280e493bf58501c47891fe63bf | — | |
hash0f9574dc38e5c34a31153f0bcc603c6ec29cb3bf65c3d25380dbe86d42573141 | — | |
hash4cab935d0ec400059a3fcdc95b6623efdd51a61dff401fba8d5da244cc2de649 | — | |
hash7f0d49b11d0a3697685622ce510c570199bf2dc76515b3f9a6b6735de8c9134b | — | |
hash83a7e51f3787ac5a8a9884edd0a58ddbef380969aa6529d282a461a1a614a892 | — | |
hash84b9a9a1668145df04faa3d0e118e2f0acbebd3d9d260baf3a355b44c815c22d | — | |
hash862a3ca7e944ccf0ff3a6d556b34faade4b68343015c35a014a43725ac14a2a1 | — | |
hashb5d598b00cc3a28cabc5812d9f762819334614bae452db4e7f23eefe7b081556 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://beta.padmin.com/mybenefits/Templates/cd.zip | — | |
urlhttps://computer.kplus.com/cd.zip | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbeta.padmin.com | — | |
domaincomputer.kplus.com | — |
Threat ID: 6a59782068715ace4305c1a8
Added to database: 07/17/2026, 00:32:32 UTC
Last enriched: 07/17/2026, 00:49:04 UTC
Last updated: 07/17/2026, 03:34:26 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.