Threat Research

Dire Wolf Ransomware: Threat Combining Data Encryption and Leak Extortion

Ahnlab
Dire Wolf Ransomware: Threat Combining Data Encryption and Leak Extortion

DireWolf is a newly emerged ransomware group (first seen May 2025) using double extortion and contacting victims via Tox, with at least 16 victims across multiple countries and industries. Their ransomware uses Curve25519 key exchange with ChaCha20 encryption, applies extensive anti-recovery/anti-analysis actions, and appends the .direwolf extension to encrypted files. #DireWolf #Curve25519

Keypoints

  • DireWolf first appeared in May 2025 and publicly listed initial victims on a darknet leak site on May 26, using Tox messenger for victim contact.
  • The group employs double extortion: encrypting files and threatening to leak stolen data (some samples uploaded to a free file-sharing site as proof).
  • Ransomware execution is controlled via command-line arguments (e.g., -d to target a specific directory) and uses a mutex (GlobaldirewolfAppMutex) and a completion marker (C:runfinish.exe) to prevent re-infection.
  • Pre-encryption routines aggressively disable recovery and logging: deleting shadow copies, stopping backup jobs, disabling WinRE, clearing event logs, and repeatedly terminating the Event Log service.
  • Processes and services tied to databases, mail, virtualization, backup, and security (e.g., sqlservr.exe, MSExchangeIS, VeeamTransportSvc) are terminated to hinder recovery.
  • Encryption uses per-file random private keys, Curve25519 key exchange with a hard-coded public key, SHA-256 derivation, and ChaCha20; small files (<1 MB) are fully encrypted, larger files have the first 1 MB encrypted to speed impact.
  • Post-encryption actions create C:runfinish.exe, schedule a forced reboot (shutdown -r -f -t 10), and run a self-deletion routine to remove the malware binary, complicating forensic collection.

MITRE Techniques

  • [T1486 ] Data Encrypted for Impact – The malware encrypts files and appends the .direwolf extension; “…giving the affected file the .direwolf extension.”
  • [T1489 ] Service Stop – DireWolf forcibly terminates services such as BackupExecJobEngine, SQLSERVERAGENT, VeeamTransportSvc, and MSExchangeIS to prevent recovery: “…termination of these services…renders monitoring and security features powerless.”
  • [T1105 ] Ingress Tool Transfer – Threat actor uploaded leaked files to a free file-sharing site to prove data theft: “…uploaded some of the leaked files to a free file-sharing site…as a means of proving that the data had actually been stolen.”
  • [T1490 ] Inhibit System Recovery – Uses vssadmin, wbadmin, bcdedit, and wevtutil to delete shadow copies, stop/delete backups, disable WinRE, and clear event logs: “…vssadmin delete shadows /all /quiet”, “wbadmin delete backup -keepVersions:0 -quiet”, “bcdedit /set {default} recoveryenabled No”, “wevtutil cl”.
  • [T1070.001 ] Indicator Removal on Host: Clear Windows Event Logs – Repeatedly identifies and terminates the eventlog service and runs wevtutil cl to delete major event logs: “…wevtutil cl command to delete the major event logs, including the Application, System, Security, and Setup logs.”
  • [T1036.005 ] Masquerade/Match Legitimate Name – Creates an empty marker file at C:runfinish.exe and uses standard Windows commands (shutdown, cmd, timeout) and filenames like HowToRecoveryFiles.txt to manage actions and extortion notes: “…creates an empty marker file in the C:runfinish.exe path…”
  • [T1106 ] Native API – Uses native Windows command-line utilities (taskkill, wbadmin, vssadmin, bcdedit, wevtutil, shutdown, cmd) to perform disruptive and cleanup operations: “…forcibly terminates it with the taskkill command…”
  • [T1499 ] Endpoint Denial of Service – Uses aggressive worker pool (8 × logical CPUs goroutines) causing high CPU and disk queue impact during encryption: “…can significantly increase CPU usage and the disk queue, leading to performance degradation and service delays.”

Indicators of Compromise

  • [File Hash ] Sample MD5 hashes observed – 333fd9dd9d84b58c4eef84a8d07670dd, 44da29144b151062bce633e9ce62de85
  • [File Hash ] Additional MD5 examples – aa62b3905be9b49551a07bc16eaad2ff, bc6912c853be5907438b4978f6c49e43
  • [File Name ] Ransom note and marker – HowToRecoveryFiles.txt (ransom note created in each folder), C:runfinish.exe (encryption completion marker)
  • [Command/Artifact ] Recovery/cleanup commands used – vssadmin delete shadows /all /quiet, wbadmin delete backup -keepVersions:0 -quiet (used to remove backups and shadow copies)

Read more: https://asec.ahnlab.com/en/89944/