Spirals, a new ransomware actor, completed a full intrusion against an IT services firm in South Asia in less than 24 hours, stealing data and encrypting systems after compromising an exposed IIS server. Symantec says the attacker used web shells, credential dumping, lateral movement tools, and destructive defense evasion tactics before deploying the payload and threatening to leak stolen data. #Spirals #Symantec #IIS #PsExec #Cloudflare
Keypoints
- Spirals breached an IT services firm through a public-facing IIS server.
- The attacker uploaded an ASP.NET web shell and quickly established persistence.
- UAC bypass, RDP enablement, and local account creation helped maintain access.
- WMI, revsocks, Chisel, and Cloudflare tunnels were used for lateral movement and remote access.
- The ransomware disabled Microsoft Defender and targeted backup, database, and virtualization services before encryption.