Dire Wolf Ransomware: New Golang Threat Hits 11 Countries with Double Extortion & File Wiping

A newly emerged ransomware group known as Dire Wolf has appeared with precision-targeted attacks, aggressive data encryption tactics, and a custom-built negotiation infrastructure. First observed in May 2025, Dire Wolf has already impacted victims across 11 countries, with a focus on the manufacturing and technology sectors, according to new research from Trustwave SpiderLabs.

“Since its discovery, Dire Wolf ransomware group has launched a series of targeted attacks… emphasizing manufacturing and technology sectors,” the report notes.

Dire Wolf employs a double extortion model: encrypting files while threatening to leak exfiltrated data. Victims are forced to either pay the ransom or face public exposure of their confidential data. At the time of the report, 16 victims had been publicly listed on the group’s leak site—primarily in the US, Thailand, and Taiwan.

“Dire Wolf not only encrypts the victim’s files but also threatens to publish stolen sensitive files unless a ransom is paid,” SpiderLabs warns.

Trustwave researchers obtained a sample of the Dire Wolf ransomware via VirusTotal. Initially packed with UPX for obfuscation, the sample revealed that the malware was written in Golang, a language favored by attackers for its cross-platform capabilities and evasiveness.

Once unpacked, the malware displayed sophisticated behavior:

• It checks for prior infection using a file named runfinish.exe and a mutex Global\direwolfAppMutex.
• If found, it self-deletes and exits using the command: cmd /C timeout /T 3 & del /f /q <path_to_self> & exit

“The ransomware first checks if the system has already been encrypted… and terminates execution if so,” explains the report.

To avoid detection and maximize impact, Dire Wolf:

• Disables Windows Event Logs using WMI and PowerShell: Get-WmiObject -Class win32_service -Filter “name = ‘eventlog'” | select -exp ProcessId
• Terminates over 75 services, including major antivirus programs like Sophos, Symantec, and Qihoo 360.
• Kills 59 processes tied to productivity tools (Word, Excel), database servers, and common applications via taskkill.

“This function attempts to stop and disable a hardcoded list of 75 services… including those used by antivirus solutions,” SpiderLabs states.

Before encrypting data, Dire Wolf aggressively deletes backups and disables recovery systems:

• Executes commands like vssadmin delete shadows /all /quiet and wbadmin delete catalog -quiet
• Clears all event logs via wevtutil cl

Encryption is handled using Curve25519 and ChaCha20, ensuring strong cryptographic protection. The ransomware appends a “.direwolf” extension to encrypted files and excludes system-critical extensions like .exe, .dll, and .sys.

A personalized ransom note is dropped, complete with a hardcoded Room ID, login credentials, and a gofile.io proof link—suggesting each sample is customized for its victim.

“The encryptor appears to be tailored to a specific victim… including a live chat room for negotiation,” the report highlights.

Dire Wolf’s leak site reveals a calculated extortion model:

• Victims are initially exposed with sample data and file listings
• They are given approximately one month to pay before full leaks occur
• Ransom demands observed have reached up to $500,000

“Victims are given around one month to pay before releasing all the stolen data,” SpiderLabs observed.

Interestingly, the threat actors claim to be financially motivated and not politically affiliated, though their alleged base in New York is viewed as dubious.

Related Posts:

• Critical Vulnerabilities in Progress WhatsUp Gold Demand Immediate Action
• XPhase Clipper: The Global Crypto Scam Unveiled by CRIL
• Fortinet FortiGate Firewalls Targeted in Sophisticated Campaign Exploiting Management Interfaces
• Stealthy New Golang Trojan Exploits Fake Certificates for Evasive Communication
• New Golang Backdoor Employs Telegram for Command and Control