A new ransomware actor called Spirals completed a corporate intrusion, from initial access to data theft and encryption, in less than 24 hours.
The attack occurred in June and breached an IT services firm in South Asia after compromising an Internet Information Services (IIS) server exposed on the public web.
Researchers at Symantec's Threat Hunter Team say that the attacker moved quickly after obtaining initial access and uploading an ASP.NET web shell.
The Spirals operator then bypassed User Account Control (UAC), enabled Remote Desktop, and created a local account to maintain persistent access. The attacker also dumped the SAM registry hive and LSASS process memory in an attempt to extract credentials.
Symantec investigators say that the threat actor tried to remove security software on the hosts, used WMI to move laterally to more than a dozen systems, and established redundant remote access channels using revsocks, Chisel, and Cloudflare tunnels.
A PowerShell payload disabled Microsoft Defender, removed its threat definitions, and stopped services associated with 23 backup, database, and virtualization products, including Veeam, VMware, Hyper-V, SQL Server, Oracle, and PostgreSQL, in preparation for the encryption stage.
The deployment of the Spirals payload (bitsadmin.exe) occurred less than 24 hours after the initial compromise, reports Symantec.
“The operator began deploying the ransomware payload across the victim’s network using PsExec running as SYSTEM,” the researchers explain.
“The payload was named bitsadmin.exe, likely to masquerade as the legitimate Windows utility associated with the Background Intelligent Transfer Service, encrypting files on impacted machines.”
Spirals is a Rust-based ransomware family that uses AES-128 keys protected by an attacker-controlled ECDH P-256 public key.
... continue reading