Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors
Dire Wolf is a newly emerged ransomware group first observed in May 2025 and Trustwave SpiderLabs recently uncovered a Dire Wolf ransomware sample that revealed for the first time key details about how the ransomware operates.
Since its discovery, Dire Wolf ransomware group has launched a series of targeted attacks across multiple sectors and regions with an emphasis on manufacturing and technology sectors.
Using a double extortion tactic, Dire Wolf not only encrypts the victim’s files but also threatens to publish stolen sensitive files unless a ransom is paid, escalating the threat beyond data loss to reputational damage. In this blog we delve into the group target preferences and present the very first analysis of the ransomware binary used to encrypt victim computers.
As of this writing, 16 victims have been publicly listed on the group’s leak site, spread across 11 nations. The US and Thailand have reported the highest number of attacks, followed by Taiwan.
Figure 1. Top Countries targeted by Dire Wolf
Among the published victims, the top targeted sectors are manufacturing and technology sectors.
Figure 2. Top Sectors targeted by Dire Wolf
As Dire Wolf’s victim count continues to rise, understanding the tools and techniques behind its attacks becomes increasingly important. A recent discovery by Trustwave SpiderLabs uncovered a Dire Wolf ransomware sample revealing key details about how the ransomware operates.
Analysis
The Dire Wolf ransomware sample was acquired through Trustwave’s Virustotal Hunting, and was noted to be initially packed using UPX, a common method used by threat actors to obfuscate malware and hinder basic static analysis.
Figure 3. File details shown in Detect It Easy
Once unpacked, analysis of the binary showed that it was written in Golang. Golang is a cross-platform programming language that has become increasingly popular among cybercriminals because of its portability and ability to run across various operating systems with minimal modification. Some antivirus vendors still struggle to detect malware written in Golang, which is another reason for its growing popularity amongst threat actors.
Figure 4. Unpacked Code shown in HIEW
Upon inspection, The Dire Wolf cryptor supports the following command line arguments:
|
Parameter |
Description |
|
-h, -help |
Display usage |
|
-d <path> |
Encrypts specific path |
When executed, the ransomware first checks if the system has already been encrypted. It does this by looking for a file named “runfinish.exe” in the C drive, an empty file marker dropped after encryption. It also checks for the presence of mutex “Global\direwolfAppMutex” to ensure only a single instance runs at a time.
Figure 5. Checking for runfinish.exe and Mutex
If either condition is met, the ransomware deletes itself and terminates execution using the following command:
cmd /C timeout /T 3 & del /f /q <path_to_self> & exit
Figure 6. Function containing the initial checks and self-deletion
After passing the initial checks, ensuring that the machine hasn’t been already encrypted and that no Dire Wolf instance is running, the ransomware proceeds to disable event logging and terminate specific processes and services that may hinder its execution.
Figure 7. Series of functions executed to disable event logs and terminates processes and services
Below is a breakdown of each function involved in this stage of the attack:
Disable Windows Event Logs Function
This function is designed to continuously disable Windows system logging by terminating the “eventlog” process. It does this by executing a Powershell command to retrieve the Process ID of the “eventlog” using the following command:
Get-WmiObject -Class win32_service -Filter "name = 'eventlog'" | select -exp ProcessId
Figure 8. Function to disable Windows eventlog
This command queries Windows Management Instrumentation (WMI) for the “eventlog” and extracts its PID. After getting the PID, it will run the following command to terminate the process
cmd /c start taskkill /f /pid <PID>
Figure 9. Process termination via taskkill
Terminating Services Function
This function attempts to stop and disable a hardcoded list of 75 services. It first tries to stop each service using ControlService with control code 1 (SERVICE_CONTROL_STOP). If that fails, it executes “sc stop <service name>” command to forcibly terminate the service.
Figure 10. Function to stop service via ControlService
Once it confirms the service is stopped, it disables the service using the following command:
sc config <service-name> start= disabled
Below is the list of hardcoded services the ransomware attempts to terminate, including those used by antivirus solutions such as Sophos, Symantec, and Qihoo 360.
|
AcrSch2Svc |
mepocs |
SQLPBENGINE |
|
BackExecRPCService |
MsDtsServer150 |
SQLSERVERAGENT |
|
backup |
MSExchange |
SQLServerDistributedReplayClient |
|
BackupExecAgentAccelerator |
msftesql-Exchange |
SQLServerDistributedReplayController |
|
BackupExecAgentBrowser |
msmdsrv |
SQLTELEMETRY |
|
BackupExecDiveciMediaService |
MSSQL |
SQLWriter |
|
BackupExecJobEngine |
MSSQLFDLauncher |
SSASTELEMETRY |
|
BackupExecManagementService |
MSSQLLaunchpad |
SSISScaleOutMaster150 |
|
BackupExecRPCService |
MSSQLSERVER |
SSISScaleOutWorker150 |
|
BackupExecVSSProvider |
MSSQLServerOLAPService |
SSISTELEMETRY150 |
|
bedbg |
PDVFSService |
stc_raw_agent |
|
CAARCUpdateSvc |
QBCFMonitorService |
tomcat6 |
|
CASAD2DWebSvc |
QBFCService |
veeam |
|
ccEvtMgr |
QBIDPService |
VeeamDeploymentService |
|
ccSetMgr |
RTVscan |
VeeamNFSSvc |
|
Culserver |
SavRoam |
VeeamTransportSvc |
|
dbeng8 |
sophos |
vmware-converter |
|
DefWatch |
sql |
vmware-usbarbitator64 |
|
GxBlr |
sqladhlp |
VSNAPVSS |
|
GxCIMgr |
SQLADHLP |
vss |
|
GxCVD |
sqlagent |
WSBExchange |
|
GxFWD |
SQLAgent |
wuauserv |
|
GxVss |
SQLAgent$SHAREPOINT |
YooBackup |
|
Intuit.QuickBooks.FCS |
SQLBrowser |
YooIT |
|
memtas |
SQLPBDMS |
zhudongfangyu |
Terminate Process Function
This function attempts to terminate a hardcoded list of 59 applications using the following command:
taskkill /F /IM <process_name>
The loop runs continuously to ensure these processes remain terminated.
Figure 11. Process Termination via taskkill
Below is the list of applications the ransomware attempts to terminate including processes related to database software, office tools and anti-virus software.
|
agntsvc.exe |
mspub.exe |
sqlservr.exe |
|
Culture.exe |
mydesktopqos.exe |
sqlwriter.exe |
|
dbeng50.exe |
mydesktopservice.exe |
steam.exe |
|
dbsnmp.exe |
notepad++.exe |
supervise.exe |
|
dbsrv12.exe |
notepad.exe |
synctime.exe |
|
Defwatch.exe |
ocautoupds.exe |
tbirdconfig.exe |
|
encsvc.exe |
ocomm.exe |
thebat.exe |
|
excel.exe |
ocssd.exe |
thunderbird.exe |
|
firefox.exe |
onedrive.exe |
tomcat6.exe |
|
httpd.exe |
onenote.exe |
visio.exe |
|
infopath.exe |
oracle.exe |
vss.exe |
|
isqlplussvc.exe |
outlook.exe |
vxmon.exe |
|
memtas.exe |
powerpnt.exe |
WinSAT.exe |
|
msaccess.exe |
RAgui.exe |
winword.exe |
|
MSExchangeIS.exe |
sqbcoreservice.exe |
wordpad.exe |
|
MSExchangeMailboxAssistants.exe |
sql.exe |
wrapper.exe |
|
MSExchangeRepl.exe |
sqlagent.exe |
wsa_service.exe |
|
MSExchangeRPC.exe |
sqlbrowser.exe |
wxServerView.exe |
|
MSExchangeServiceHost.exe |
sqlmangr.exe |
xfssvccon.exe |
|
MSExchangeTransport.exe |
Sqlservr.exe |
Delete Backups, Recovery and Logs Function
This function is responsible for removing system recovery options by executing a series of Windows commands, as shown below:
vssadmin delete shadows /all /quiet wmic shadowcopy delete /nointeractive wbadmin stop job -quiet wbadmin disable backup -quiet wbadmin delete backup -keepVersions:0 -quiet wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0 -quiet wbadmin delete catalog -quiet bcdedit /set {default} recoveryenabled No bcdedit /set {default} bootstatuspolicy ignoreallfailures wevtutil cl Application wevtutil cl system wevtutil cl security wevtutil cl setup
These commands are used to:
- Deletion of shadow copies via vssadmin and wmic
- Disable and delete Windows backup via wbadmin
- Disable Recovery and Boot Error prompts via bcedit
- Clears windows event logs via wevtutil
Encryption
The ransomware uses combination of Curve25519 and ChaCha20 algorithms for its encryption and appends the “.direwolf” extension on the encrypted files. The ransomware encrypts all files found on the machine except for files with the following extensions:
.exe .dll .sys .drv .bin .tmp .iso .img .direwolf
It then drops the following ransom note in figure 12. Based on its contents, the encryptor appears to be tailored to a specific victim, as it contains a hardcoded room ID and login access unique to the targeted organization. The note provides login details to their live chat room, including a roomID, username and password, allowing the victim to contact the Threat Actors directly for ransom negotiations. It also contains a link to a sample document uploaded to gofile.io, as proof of data exfiltration. This strongly suggests that Dire Wolf conducts targeted attacks, utilizing tailored encryptors and personalized negotiation channels specific to their victims.
Figure 12. Dire Wolf ransom note
After encryption, it will then delete itself and reboot the machine.
Dire Wolf Data Leak site
As of this writing, 15 victims are listed on their data leak site, including five whose exfiltrated files are set to be uploaded by the end of June. During investigation, we observed that the threat actors initially publish sample data and a list of exfiltrated files, then give the victims around one month to pay before releasing all the stolen data. The ransom demand from one of the victims was approximately $500,000.
Figure 13. Victims published on Dire Wolf Data Leak Site
On their “About” page, the Dire Wolf group claims to be financially motivated and does not hold any political stance.
Figure 14. About Us Note on Dire Wolf Data Leak Site
They also provided a qTox ID “B344BECDC01A1282F69CB82979F40439E15E1FD1EF1FE9748EE467F5869E2148E6F1E55959E2” for communication and claimed to be based in New York, although the claimed location is not credible.
Figure 15. gTox ID and Alleged Location Visible on Dire Wolf Data Leak Site
Although no initial access, reconnaissance or lateral movement techniques used by Dire Wolf are known at this point, organizations shall follow good security practices as well as enable monitoring for the techniques revealed in this analysis.
Trustwave ISA and Trustwave SpiderLabs provide a set of detection rules capturing impact and defense evasion techniques listed in this blog as well as other common methods used by ransomware operators. Here are some of the procedures that shall be detected by these use cases:
vssadmin delete shadows /all /quiet wmic shadowcopy delete /nointeractive wbadmin disable backup -quiet wbadmin delete backup -keepVersions:0 -quiet wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0 -quiet wbadmin delete catalog -quiet bcdedit /set {default} recoveryenabled No bcdedit /set {default} bootstatuspolicy ignoreallfailures wevtutil cl Application wevtutil cl system wevtutil cl security wevtutil cl setup
Additionally, Trustwave's Advanced Continual Threat Hunt (ACTH) with a new patent-pending methodology enables Trustwave to conduct threat hunts for potential malware and malicious activities.
IOCs:
|
Filename |
Type |
File Hash |
|
data345.exe |
Win64 EXE |
MD5: A71dbf2e20c04da134f8be86ca93a619 SHA-1: Ed7c9fbd42605c790660df86b7ec325490f6d827 SHA-256: 8fdee53152ec985ffeeeda3d7a85852eb5c9902d2d480449421b4939b1904aad |
|
data345.exe (unpacked) |
Win64 EXE |
MD5: aa62b3905be9b49551a07bc16eaad2ff SHA-1: 4a5852e9f9e20b243d8430b229e41b92949e4d69 SHA-256: 27d90611f005db3a25a4211cf8f69fb46097c6c374905d7207b30e87d296e1b3 |
QTox ID
B344BECDC01A1282F69CB82979F40439E15E1FD1EF1FE9748EE467F5869E2148E6F1E55959E2
Data Leak Site
hxxp://direwolfcdkv5whaz2spehizdg22jsuf5aeje4asmetpbt6ri4jnd4qd[.]onion