Symantec Threat Hunter Team uncovered a previously unseen Rust-based ransomware family called Spirals, used in a double extortion attack against an IT services company in South Asia in June 2026. The attackers moved quickly through IIS web shell access, credential dumping, lateral movement, and multi-stage deployment tools before encrypting files and threatening to leak stolen data. #Spirals #SymantecThreatHunterTeam #IIS #PsExec #CloudflareTunnel
Keypoints
- Spirals is a new Rust-based ransomware family observed in a June 2026 attack.
- The attackers gained access through an internet-facing IIS server and an ASP.NET web shell.
- They used tools such as revsocks, Chisel, and Cloudflare Tunnel for covert access.
- Credential theft and lateral movement included SAM and LSASS dumping, plus WMI and PsExec abuse.
- The ransomware was deployed as bitsadmin.exe and used double extortion threats against the victim.
Read More: https://www.security.com/threat-intelligence/ransomware-spirals-extortion