WereWolves Ransomware is a Russian-speaking group that emerged in 2023 and has built a notable online presence while expanding its victim list to at least 23. They deploy a LockBit3 variant with double extortion, encrypting data and threatening to leak it publicly unless a ransom is paid. #WereWolvesRansomware #LockBit3 #LockBit #AgencyforElectronicCommunications #LaPosteMobile
Keypoints
- WereWolves is a Russian-speaking ransomware group that appeared in May 2023 and has since gained notoriety.
- They employ double extortion: encryption plus a threat to publicly release stolen data.
- The group appears to use a variant of LockBit3 and may be affiliated with LockBit in some capacity.
- Victims number reported as 23 as of January 9, 2024, targeting easy-to-attack mid-to-small enterprises across diverse sectors.
- Recruitment and online presence are unusually open and humorous, including a “Work in our team” section on their site.
- Hackers’ leak-site activity and victim overlap with LockBit raise questions about overlap or connections between the groups, including names like the Agency for Electronic Communications and La Poste Mobile.
MITRE Techniques
- [T1486] Data Encrypted for Impact – They encrypt victim data as part of double extortion; “double extortion tactics, where they not only encrypt the victim’s data but also threaten to release it publicly unless a ransom is paid.”
- [T1041] Exfiltration – They exfiltrate data and threaten to release it publicly unless ransom is paid; “double extortion tactics, where they not only encrypt the victim’s data but also threaten to release it publicly unless a ransom is paid.”
Indicators of Compromise
- [Domain] – 4th of the 5 victims has a .ru domain – .ru domain
- [Organization] – Victims named include Agency for Electronic Communications and La Poste Mobile
Read more: https://socradar.io/dark-web-profile-werewolves-ransomware/