The newly emerged ‘Dire Wolf’ ransomware gang has already hit 16 global firms—mainly in tech and manufacturing—within just a month, researchers report.
Trustwave reports that the group uses double extortion, gives victims a month to pay, and deploys custom-built encryptors tailored to each target.
The group’s reach spans 11 countries, with the most attacks in the US and Thailand, followed by Taiwan. Five victims are facing imminent data leaks, likely for non-payment, according to the post.
"During investigation, we observed that the threat actors initially publish sample data and a list of exfiltrated files, then give the victims around one month to pay before releasing all the stolen data," Trustwave SpiderLabs' Nathaniel Morales explained in the post. "The ransom demand from one of the victims was approximately $500,000."
Trustwave analyzed a Dire Wolf ransomware sample initially packed with UPX to hinder static analysis. Once unpacked, they discovered the binary was written in Golang—a language favored by threat actors for its cross-platform nature and evasion of antivirus tools.
Upon execution, Dire Wolf checks if the system is already encrypted or if the mutex "Global\direwolfAppMutex" exists to prevent multiple instances. If either is true, it self-deletes and stops running.
In the absence of both conditions, Dire Wolf disables event logs and shuts down certain processes. As Morales explained, one function "is designed to continuously disable Windows system logging by terminating the 'eventlog' process … by executing a Powershell command." It also kills services and applications and removes recovery options via Windows commands.
Inside Dire Wolf: How It Encrypts and Demands Ransom
Dire Wolf ransomware leverages Curve25519 and ChaCha20 for encryption, tagging encrypted files with a .direwolf extension. It avoids encrypting certain file types, including .exe, .dll, .sys, .drv, .bin, .tmp, .iso, .img, and its own .direwolf.
Dire Wolf drops a ransom note suggesting its encryptor is victim-specific, as it includes a hardcoded room ID and login credentials unique to the targeted organization, Morales noted. The note also shares access to a live chat room for direct ransom negotiations.
According to the post, Dire Wolf includes a gofile[.]io link to a sample document as proof of data exfiltration from the victim’s system. "This strongly suggests that Dire Wolf conducts targeted attacks, utilizing tailored encryptors and personalized negotiation channels specific to their victims," Morales wrote.
