Dire Wolf Ransomware: Threat Combining Data Encryption and Leak Extortion

Sept. 3, 2025, 8:14 p.m.

Description

The DireWolf ransomware group emerged in May 2025, targeting various industries globally. They employ a double extortion technique, encrypting data and threatening leaks. The ransomware uses Curve25519 key exchange and ChaCha20 encryption, generating unique keys for each file. It implements anti-recovery measures, terminating backup processes, deleting logs, and disabling recovery environments. The malware encrypts files, creates ransom notes, and self-deletes after scheduling a system reboot. DireWolf's sophisticated approach, combining encryption, anti-analysis techniques, and data leakage threats, poses a significant risk to organizations across sectors.

External References

https://asec.ahnlab.com/en/89944
https://otx.alienvault.com/pulse/68b87b63cc3afd40e2e7d6c6
Tags
ransomware
encryption
chacha20
double extortion
self-deletion
dire wolf
2025-09-03
curve25519
anti-recovery
data leakage

Date

  • Created: Sept. 3, 2025, 5:31 p.m.
  • Published: Sept. 3, 2025, 5:31 p.m.
  • Modified: Sept. 3, 2025, 8:14 p.m.

Indicators

  • 7f877830ebafb0b809b96bac7baf4435e235ab7835f695006ff779e6178c3638
  • 27d90611f005db3a25a4211cf8f69fb46097c6c374905d7207b30e87d296e1b3
Download all indicators here!

Attack Patterns

  • Dire Wolf
  • DireWolf

Additional Informations

  • Construction
  • Technology
  • Finance
  • Manufacturing
  • Australia
  • Taiwan
  • Italy
  • Thailand
  • United States of America