The Symantec Threat Hunter Team reported July 16 that Spirals — a previously unseen ransomware family — deployed a double extortion attack in under 24 hours against an unknown South Asia IT services company in June.According to Symantec, the full ransomware attack — from initial access to data theft and on to encryption — took place less than 24 hours after the initial breach. Once the attackers accessed an IIS server, they uploaded an ASP.NET web shell and then over a three-hour session, established persistent access, uninstalled endpoint security software, and dumped the Security Account Manager (SAM) hive, and cleaned out the Local Security Authority Subsystem Service (LSASS).This let them set up covert remote access before later deploying the ransomware payload across the network, said the researchers, who added that the skill of the attackers indicated that other such attacks will follow.Kevin Surace, chief executive officer at TokenCore, explained that once the attackers gained administrative control, they used PowerShell to disable Microsoft Defender, remove its threat definitions, and stop services associated with 23 backup, database, and virtualization products. They then used PsExec running as SYSTEM to distribute the ransomware across the network, turning what might once have been a manual intrusion into a rapid automated deployment.Surace was adamant that organizations can no longer wait for analysts to investigate every alert manually before containing a suspected attack: response playbooks must authorize immediate isolation of affected machines, suspension of compromised accounts, blocking of remote management tools, and interruption of lateral movement when high confidence ransomware indicators appear.“The objective must shift from confirming the entire attack to stopping its momentum,” said Surace. “When encryption may begin within the same workday as the initial compromise, containment decisions must happen in minutes, not after hours of meetings and escalation.”Sam Decker, threat intelligence engineer at Blackpoint Cyber, said teams can defend against such rapid-fire attacks by shrinking their own response time to match the attackers.Decker said prevention still matters: close exposed services like the hacked (in this case) IIS server, enforce MFA, and turn on tamper protection so Defender cannot be silently disabled.“But prevention alone is no longer a plan,” said Decker. "What actually changes the outcome is real-time detection paired with the people and authority to isolate the host and cut the session in minutes, because the attacker is betting on the gap between ‘something is happening’ and ‘someone stopped it.’"Decker confirmed that teams have to adjust to new rules: there’s no longer a 2- to 4-week period to respond to a security issue.“When a group goes from an exposed web server to a fully encrypted network in under a day, any strategy built around the next scheduled scan or the morning queue review has already lost,” said Decker. “The old rules assumed you had time to react, and that time is gone.”Decker underscored that in Spirals, the actor killed the backup and database services and dumped LSASS before a single file was locked — and that pattern barely changes between variants.“Teams keep up by defending that repeatable middle rather than chasing each new ransomware brand,” said Decker. “Because if you catch the defense evasion and credential theft, you catch the operation no matter what it calls itself.”
Ransomware
Attackers execute a complete ransomware operation in under 24 hours

(Adobe Stock)
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



