A newly identified ransomware operation known as Spirals is raising concern because of how quickly it can move through a corporate network. Instead of remaining hidden for days or weeks, the attackers reportedly automate much of their campaign and can progress from initial access to data theft and widespread encryption in under 24 hours.
That speed creates a serious challenge for security teams. Traditional ransomware response often assumes there will be enough time to investigate suspicious activity, isolate affected systems and stop the attack before encryption begins. Spirals appears designed to shrink that window as much as possible.
A Fast-Moving Attack With Little Time to React
Once the attackers gain access, they rapidly establish persistence, study the environment and identify systems that contain valuable information. Credentials are then collected and used to move deeper into the network before sensitive data is copied out.
Only after this reconnaissance and data theft phase does the ransomware payload appear to be deployed across the environment. By that point, the attackers may already have access to multiple servers, administrator accounts and critical business systems.
The worrying part is not that these techniques are new. Credential theft, lateral movement and ransomware deployment have all been seen before. What makes Spirals particularly dangerous is how quickly these stages are completed.
Internet-Facing Servers May Provide the Initial Entry Point
The observed attack chain begins with the compromise of an internet-facing Microsoft IIS server. Publicly accessible servers are attractive targets because attackers can probe them remotely for unpatched vulnerabilities, weak configurations or exposed administrative functions.
After compromising the server, the attackers establish a foothold, collect credentials and perform network reconnaissance. They then move laterally to other systems, steal corporate information and finally deploy ransomware throughout the network. AKATI Sekurity Advisory - High - Spirals Ransomware Encrypts Enterprise Networks.pdfPDF AKATI Sekurity Advisory - High - Spirals Ransomware Encrypts Enterprise Networks.pdfPDF
Although IIS servers were observed in this campaign, the broader risk applies to any organisation operating exposed infrastructure without strong patching, access control and network segmentation.
Double Extortion Makes Backups Only Part of the Defence
Spirals follows the increasingly common double-extortion model.
Before encrypting systems, the attackers steal sensitive information. They can then pressure the victim in two ways: by locking critical systems and by threatening to publish the stolen data if payment is refused.
This means that even an organisation with reliable backups may still face significant operational, legal and reputational consequences. Restoring files may solve the encryption problem, but it does not undo the theft of confidential data.
Depending on what was taken, the organisation may also need to investigate possible exposure of customer information, employee records, commercial documents or regulated data.
Why the Campaign Is Especially Dangerous
Several characteristics make this ransomware activity particularly difficult to contain.
The full attack lifecycle can be completed within one day, leaving defenders with very little time to investigate suspicious behaviour. The attackers also appear focused on enterprise environments and potentially critical infrastructure, where downtime can have a much wider impact.
The campaign combines rapid execution, data theft, lateral movement and widespread encryption. Publicly exposed services provide the initial opportunity, while weak internal segmentation may allow the attackers to reach systems that should never have been directly accessible from the compromised server. AKATI Sekurity Advisory - High - Spirals Ransomware Encrypts Enterprise Networks.pdfPDF
In a flat network, one compromised account or server can become the doorway to file servers, databases, backup systems and administrative tools.
Windows Enterprise Environments Face the Greatest Exposure
The reported activity primarily targets Windows-based corporate environments, particularly organisations running Microsoft IIS or other externally reachable services.
However, the real issue is not limited to a particular Microsoft product. Any company with public-facing infrastructure, weak access controls or insufficient separation between systems could face a similar attack path. AKATI Sekurity Advisory - High - Spirals Ransomware Encrypts Enterprise Networks.pdfPDF
Organisations should therefore treat internet-facing systems as high-risk assets. These servers require stronger monitoring, faster patching and tighter restrictions than ordinary internal devices.
Patching Must Be Treated as an Operational Priority
All externally accessible servers should be fully patched and regularly assessed for vulnerabilities.
This includes operating systems, web servers, applications, plugins, management interfaces and any third-party software installed on the system. A server may be technically updated at the operating-system level while still remaining vulnerable through an outdated application component.
Regular vulnerability scanning is also important because it helps organisations identify forgotten systems, exposed ports and outdated services before attackers discover them. AKATI Sekurity Advisory - High - Spirals Ransomware Encrypts Enterprise Networks.pdfPDF
For critical vulnerabilities affecting an internet-facing server, waiting for the next routine maintenance cycle may be too slow.
Network Segmentation Can Limit the Damage
Network segmentation is one of the most effective ways to reduce the impact of ransomware.
A public web server should not have unrestricted access to internal systems. Access should be limited only to the specific services and destinations required for the application to function.
The same principle applies to user accounts and service accounts. Each identity should receive only the permissions it genuinely needs.
When least privilege and segmentation are properly enforced, attackers may still compromise one server, but they will have a much harder time reaching domain controllers, databases, backup platforms and other critical systems.
EDR Must Detect the Behaviour Before Encryption Begins
Endpoint Detection and Response tools should be configured to identify the earlier stages of the attack, not merely the final ransomware executable.
Security teams should look for behaviours associated with credential theft, privilege escalation, lateral movement, tunnelling tools and unusual administrative activity. The advisory also recommends monitoring for abnormal authentication events, rapid permission changes, mass access to files and unexpected outbound data transfers. AKATI Sekurity Advisory - High - Spirals Ransomware Encrypts Enterprise Networks.pdfPDF
These warning signs may provide the only realistic opportunity to contain the intrusion before the encryption phase begins.
Alerts also need to be actionable. A security platform that generates thousands of low-priority notifications without clear escalation can still allow a fast-moving attack to succeed.
Backups Must Be Offline, Immutable and Tested
Backups remain essential, but they need to be protected from the production environment.
Attackers increasingly search for backup servers and administrative consoles before deploying ransomware. If backup systems use the same credentials or remain continuously connected to the compromised network, they may be encrypted or deleted alongside the original data.
Organisations should maintain offline or immutable backup copies that cannot be altered by ordinary administrator accounts. Those backups should also be tested through regular restoration exercises.
A backup that has never been restored is only an assumption, not a proven recovery capability.
Incident Response Needs to Move at Machine Speed
An attack that completes in less than 24 hours cannot be handled through a slow approval chain.
Security teams should already know who has authority to isolate systems, disable accounts, block network traffic and activate incident-response procedures. Waiting for several layers of approval while ransomware continues spreading may result in preventable damage.
Automated containment can also help. Depending on the organisation's risk tolerance, EDR and network-security tools may be configured to quarantine endpoints, disable suspicious sessions or block known malicious infrastructure when high-confidence detections occur.
The goal is not to automate every decision, but to ensure that critical actions can happen quickly enough to matter.
What Organisations Should Do Now
Organisations should immediately review all internet-facing servers and confirm that they are fully patched, correctly configured and protected by appropriate monitoring.
They should also verify that:
Known malicious indicators associated with the campaign should also be added to firewalls, DNS security tools, web proxies, SIEM platforms and endpoint-security systems where appropriate. The advisory includes file hashes, malicious infrastructure and payload-delivery locations for defensive monitoring. AKATI Sekurity Advisory - High - Spirals Ransomware Encrypts Enterprise Networks.pdfPDF
Final Thoughts
Spirals ransomware demonstrates how quickly a modern cyberattack can move from one exposed server to a full enterprise-wide crisis.
The greatest danger is not only the encryption itself, but the combination of credential theft, data exfiltration, lateral movement and a highly compressed attack timeline. Organisations that depend entirely on manual investigation may find themselves reacting after the attackers have already reached critical systems.
Strong patch management, network segmentation, behavioural detection, immutable backups and rapid containment are therefore no longer optional layers of security. They are essential controls for surviving ransomware campaigns that can complete their entire operation in less than a single working day.


Comments