Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1917+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. New Spirals Ransomware Encrypts Victim Network in Under 24 Hours
New Spirals Ransomware Encrypts Victim Network in Under 24 Hours
NEWS

New Spirals Ransomware Encrypts Victim Network in Under 24 Hours

A newly identified ransomware group called Spirals has demonstrated alarming operational speed, completing the full attack lifecycle — initial access, lateral movement, data theft, and network-wide encryption — in less than 24 hours.

Dylan H.

News Desk

July 16, 2026
4 min read

Overview

Security researchers have identified a new ransomware actor dubbed Spirals that has distinguished itself from other threat groups through its exceptional operational tempo. In observed intrusions, Spirals completed the full attack chain — from initial access to data exfiltration and full network encryption — in under 24 hours. This rapid dwell time dramatically compresses the detection and response window available to defenders.

Attack Timeline

Based on incident response telemetry and threat intelligence reporting, Spirals intrusions follow a consistent, accelerated pattern:

PhaseEstimated Timeframe
Initial accessT+0
Credential harvestingT+1–2 hours
Lateral movement / privilege escalationT+2–6 hours
Data exfiltration (double extortion)T+6–16 hours
Ransomware deployment and encryptionT+16–24 hours

This timeline stands in contrast to many established ransomware groups, which historically maintained dwell times of days to weeks — time that allowed detection tools and security teams to identify and contain intrusions before encryption commenced.

Initial Access Vectors

Spirals has been observed using several entry points:

  • VPN and RDP exploitation — targeting unpatched remote access services exposed to the internet
  • Phishing with malicious attachments — credential-harvesting lures delivered via email
  • Compromised third-party credentials — leveraging previously breached credentials purchased on underground markets

Once inside, the group moves immediately to internal reconnaissance rather than establishing prolonged persistence.

Lateral Movement and Privilege Escalation

Spirals demonstrates fluency with common Active Directory abuse techniques:

  • Kerberoasting and Pass-the-Hash for credential escalation
  • LSASS memory dumping via tools like Mimikatz derivatives
  • Living-off-the-land (LOTL) techniques using PowerShell, WMI, and PsExec to avoid triggering signature-based detections
  • RDP pivoting across the internal network after acquiring domain credentials

The speed with which Spirals reaches Domain Admin or equivalent privileges suggests either strong prior reconnaissance (acquired through initial access broker networks) or significant automation of post-exploitation workflows.

Double Extortion Model

Like most modern ransomware operations, Spirals operates a double extortion model:

  1. Data theft first: Sensitive files — financial records, customer data, IP, and credentials — are exfiltrated to attacker-controlled infrastructure before encryption begins
  2. Encryption second: Network-wide ransomware is deployed simultaneously across as many endpoints as possible in a single push

Victims who restore from backups still face the threat of public data release via a dedicated Spirals leak site on the dark web. The group uses this leverage to pressure payment.

Ransomware Payload

Details of the encryption payload are still under analysis, but early samples indicate:

  • AES-256 symmetric encryption for file content
  • RSA-4096 asymmetric encryption for key exchange
  • Targeting of VMware ESXi hosts and NAS devices in addition to Windows endpoints
  • Deliberate exclusion of system files to maintain OS bootability (maximizing victim ability to see and pay the ransom note)

Encrypted files receive a .spirals extension, and a ransom note (READ_ME_SPIRALS.txt) is dropped in each directory.

Defensive Recommendations

The sub-24-hour window demands a shift toward pre-breach hardening rather than relying on detection and response:

Immediate Actions

  1. Patch internet-facing systems — VPN appliances, RDP gateways, and firewall management interfaces are the highest priority; check vendor advisories weekly
  2. Enforce MFA on all remote access — no exceptions for VPN, RDP, or management consoles
  3. Disable RDP on endpoints that do not require it; restrict to jump hosts only
  4. Monitor for abnormal authentication patterns — LSASS access, Kerberoasting queries, and mass SMB connections are early indicators

Detection

Spirals' rapid timeline means indicators appear in bursts. Prioritize alerting on:

  • Multiple failed auth attempts followed immediately by success (credential stuffing / spray)
  • sekurlsa::logonpasswords or LSASS memory read events
  • Large volume outbound transfers, especially to cloud storage or unknown IPs
  • PsExec or WMI remote execution across many hosts in a short window
  • Mass file rename events (.spirals extension)

Recovery Preparation

  • Maintain offline, immutable backups tested for restore completeness — Spirals targets backup solutions connected to the domain
  • Document a network segmentation plan that can be enacted in minutes to isolate critical systems
  • Pre-engage an incident response retainer so IR firms are authorized to mobilize immediately, not days after an incident begins

Threat Actor Context

Spirals appears to be a financially motivated group without confirmed nation-state ties. The level of automation and tooling sophistication suggests either an experienced team or one leveraging access broker networks and ready-made post-exploitation frameworks. Researchers continue to monitor for overlaps with known ransomware-as-a-service (RaaS) ecosystems.

Organizations in manufacturing, healthcare, professional services, and critical infrastructure should treat Spirals as an active threat and validate their detection coverage for the TTPs described above.

References

  • BleepingComputer: New Spirals ransomware encrypts victim network in under 24 hours
  • CISA Ransomware Guide
  • MITRE ATT&CK: Ransomware Techniques
#Ransomware#Spirals#Cybercrime#Threat Intelligence#Incident Response

Related Articles

Feuding Ransomware Groups Leak Each Other's Data

When rival ransomware groups 0APT and KryBit turned on each other, they exposed infrastructure details, operational data, victim lists, and internal...

6 min read

Identity Attacks Overtake Exploits as Top Ransomware Cause

Sophos 2026: 79% of ransomware attacks start with stolen identities. MFA was present in 97% of credential-based cases yet failed to stop every one of them.

4 min read

Agentic AI Used to Conduct Ransomware Attack via Langflow Vulnerability

Threat group JadePuffer leveraged an LLM agent to autonomously execute a multi-stage ransomware-style attack through a critical Langflow vulnerability,...

4 min read
Back to all News