← Home

Spirals Ransomware Encrypts Entire Corporate Networks in Under 24 Hours

The fact A new ransomware variant called Spirals has been detected in the wild with an alarming capability: encrypting entire corporate networks in under 24 hours from initial access. Unlike traditional ransomware variants that take days or weeks between initial compromise and detonation — LockBit averages 7 days, BlackCat takes 5 to 10 — Spirals compresses this cycle to less than one business day, catching security teams off guard who still operate on slow-detection models. Early incident reports indicate the ransomware spreads with machine-gun speed across Windows domains once it gains a foothold.

Context Traditional high-impact ransomware follows a well-known pattern: initial access via phishing or exposed RDP, careful slow lateral movement, data exfiltration, and finally encryption. This cycle could take 3 to 14 days, giving EDR solutions and SOC teams time to spot anomalies. Spirals represents a radical acceleration of this model, likely using aggressive automated network discovery and lateral propagation via legitimate admin tools (LOLBins) such as PsExec, WMIC, and WinRM, combined with fast Active Directory scanning. The emergence of ultra-fast ransomware has been theorized for years, but Spirals is the first to demonstrate it at scale in real-world attacks.

Analysis The shortened encryption timeline has profound implications for corporate defense architecture. Traditional ransomware detection models rely on a 24-to-72-hour window for SOC teams to spot suspicious lateral movement, gather evidence, and trigger containment playbooks. With Spirals, that window shrinks drastically — if encryption begins in hours, detection must be near real-time and response must be automated. The speed suggests heavy automation of internal reconnaissance steps, likely via scripts that map Active Directory domains, identify domain controllers, and distribute the payload simultaneously across multiple hosts. This also reduces the exfiltration window, suggesting attackers may be prioritizing operational disruption over double extortion — a worrying shift in the ransomware business model. If this approach becomes standard, the entire economics of ransomware defense changes: prevention and early detection become exponentially more important than reactive containment.

What to watch for The evolution of Spirals over the coming weeks: if affiliate groups adopt the platform as a ransomware-as-a-service offering, attack frequency could surge dramatically. Organizations should review detection rules for mass remote execution alerts and disable remote administration protocols (WinRM, PSRemoting) where not strictly required. Offline backups remain the last line of defense, but with a variant this fast, pre-encryption detection — and indicators of automated reconnaissance — becomes the number one priority for CISOs. The security industry will need to accelerate its own detection arms race, investing in behavioral analytics that can spot network reconnaissance happening at machine speed rather than human speed.

Source: BleepingComputer