New Spirals ransomware encrypts victim network in under 24 hours

New Spirals ransomware encrypts victim network in under 24 hours

A new ransomware actor called Spirals completed a corporate intrusion, from initial access to data theft and encryption, in less than 24 hours.

The attack occurred in June and breached an IT services firm in South Asia after compromising an Internet Information Services (IIS) server exposed on the public web.

Researchers at Symantec's Threat Hunter Team say that the attacker moved quickly after obtaining initial access and uploading an ASP.NET web shell.

image

The Spirals operator then bypassed User Account Control (UAC), enabled Remote Desktop, and created a local account to maintain persistent access. The attacker also dumped the SAM registry hive and LSASS process memory in an attempt to extract credentials.

Symantec investigators say that the threat actor tried to remove security software on the hosts, used WMI to move laterally to more than a dozen systems, and established redundant remote access channels using revsocks, Chisel, and Cloudflare tunnels.

A PowerShell payload disabled Microsoft Defender, removed its threat definitions, and stopped services associated with 23 backup, database, and virtualization products, including Veeam, VMware, Hyper-V, SQL Server, Oracle, and PostgreSQL, in preparation for the encryption stage.

The deployment of the Spirals payload (bitsadmin.exe) occurred less than 24 hours after the initial compromise, reports Symantec.

“The operator began deploying the ransomware payload across the victim’s network using PsExec running as SYSTEM,” the researchers explain.

“The payload was named bitsadmin.exe, likely to masquerade as the legitimate Windows utility associated with the Background Intelligent Transfer Service, encrypting files on impacted machines.”

Spirals is a Rust-based ransomware family that uses AES-128 keys protected by an attacker-controlled ECDH P-256 public key.

The ransomware uses intermittent encryption for files larger than 5MB to accelerate the process.

A ransom note named RECOVERY_SECTION.log is dropped on the C:\ drive, containing instructions to negotiate a ransom.

Victims are threatened with public exposure of the stolen data within six days, unless the attacker is paid.

Despite the presence of the extortion portal, Symantec observed Spirals in a single case so far, so it’s unclear whether the new family is intended for broader cybercrime deployment or if it was a custom payload created specifically for this attack at the IT services firm.

Symantec's report provides network indicators and file hashes associated with the documented Spirals attack to help organizations worldwide set up defenses against this threat group.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper
source: BleepingComputer