Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors
Summary:
Dire Wolf is a newly emerged ransomware group first observed in May 2025 and has since carried out a wave of targeted attacks, particularly against organizations in the manufacturing and technology sectors. Trustwave SpiderLabs recently analyzed a Dire Wolf ransomware sample, uncovering technical details on how the malware functions. The group employs double extortion tactics, encrypting victims’ files and threatening to leak exfiltrated data unless a ransom is paid. As of now, 16 victims across 11 countries have been publicly listed on Dire Wolf’s leak site, with the United States and Thailand being the most affected.
The ransomware sample, initially packed with UPX to evade analysis, was found to be written in Golang, a language favored by cybercriminals for its cross-platform capabilities and reduced antivirus detection rates. Upon execution, the malware checks for the presence of a mutex and a specific file to avoid redundant encryption. If either is found, it deletes itself. If not, it proceeds to disable Windows event logging and terminates a range of processes and services, including those related to antivirus programs, backup software, and Microsoft Exchange.
The ransomware disables Windows logs using WMI and taskkill commands and attempts to stop and permanently disable 75 hardcoded services and 59 processes using commands like sc stop, sc config, and taskkill. These include major antivirus services like Sophos, Symantec, and Qihoo 360, and applications such as Microsoft Office, SQL Server, VMware services, and various backup utilities.
Security Officer Comments:
After disrupting defenses, the malware deletes shadow copies and disables backup recovery mechanisms using a combination of commands to prevent system recovery and forensic investigation. It also clears event logs with wevtutil to hide traces of its activity. For encryption, Dire Wolf uses Curve25519 and ChaCha20 cryptographic algorithms, appending the extension “.direwolf” to encrypted files. The malware does avoid encrypting critical system files. A customized ransom note is then dropped, tailored to each victim with unique login credentials for a chat room where ransom negotiations take place. The note includes a link to a sample file on gofile[.]io as proof of exfiltration, indicating a high degree of targeting and personalization.The group’s leak site currently lists 15 victims, with some having their stolen data partially published and facing full exposure if no ransom is paid. Ransom demands have reportedly reached up to $500,000. Although Dire Wolf claims to be apolitical and based in New York, these assertions remain unverified. No specific details about their initial access or lateral movement techniques have been observed, but organizations are urged to adopt preventive measures and monitor for known indicators.
Suggested Corrections:
Link(s):
https://www.trustwave.com/en-us/res...ew-ransomware-group-targeting-global-sectors/
Dire Wolf is a newly emerged ransomware group first observed in May 2025 and has since carried out a wave of targeted attacks, particularly against organizations in the manufacturing and technology sectors. Trustwave SpiderLabs recently analyzed a Dire Wolf ransomware sample, uncovering technical details on how the malware functions. The group employs double extortion tactics, encrypting victims’ files and threatening to leak exfiltrated data unless a ransom is paid. As of now, 16 victims across 11 countries have been publicly listed on Dire Wolf’s leak site, with the United States and Thailand being the most affected.
The ransomware sample, initially packed with UPX to evade analysis, was found to be written in Golang, a language favored by cybercriminals for its cross-platform capabilities and reduced antivirus detection rates. Upon execution, the malware checks for the presence of a mutex and a specific file to avoid redundant encryption. If either is found, it deletes itself. If not, it proceeds to disable Windows event logging and terminates a range of processes and services, including those related to antivirus programs, backup software, and Microsoft Exchange.
The ransomware disables Windows logs using WMI and taskkill commands and attempts to stop and permanently disable 75 hardcoded services and 59 processes using commands like sc stop, sc config, and taskkill. These include major antivirus services like Sophos, Symantec, and Qihoo 360, and applications such as Microsoft Office, SQL Server, VMware services, and various backup utilities.
Security Officer Comments:
After disrupting defenses, the malware deletes shadow copies and disables backup recovery mechanisms using a combination of commands to prevent system recovery and forensic investigation. It also clears event logs with wevtutil to hide traces of its activity. For encryption, Dire Wolf uses Curve25519 and ChaCha20 cryptographic algorithms, appending the extension “.direwolf” to encrypted files. The malware does avoid encrypting critical system files. A customized ransom note is then dropped, tailored to each victim with unique login credentials for a chat room where ransom negotiations take place. The note includes a link to a sample file on gofile[.]io as proof of exfiltration, indicating a high degree of targeting and personalization.The group’s leak site currently lists 15 victims, with some having their stolen data partially published and facing full exposure if no ransom is paid. Ransom demands have reportedly reached up to $500,000. Although Dire Wolf claims to be apolitical and based in New York, these assertions remain unverified. No specific details about their initial access or lateral movement techniques have been observed, but organizations are urged to adopt preventive measures and monitor for known indicators.
Suggested Corrections:
- Monitor and block the deletion of shadow copies and backups
- Implement endpoint protection capable of detecting Golang-based binaries and obfuscated payloads
- Restrict PowerShell and WMI execution where not required, especially on high-value systems
- Continuously log and monitor service disruptions and unexpected process terminations
- Maintain offline backups and test recovery procedures regularly
- Apply the detection rules released by Trustwave for behavior patterns related to Dire Wolf
- Implement application allow-listing and deny execution from user directories
Link(s):
https://www.trustwave.com/en-us/res...ew-ransomware-group-targeting-global-sectors/