DireWolf: The New Ransomware Group Targeting Global Businesses

The DireWolf ransomware group, first emerging in May 2025, has rapidly evolved into a formidable cyber threat targeting organizations across multiple industries and regions. According to AhnLab, “On May 26 of the same month, they disclosed their first 6 victims on a darknet leak site, marking the beginning of their full-fledged activities.”

DireWolf’s operations are financially motivated, with the group stating their “only goal is money” and relying on the encrypted Tox messenger for victim communication. Their targets span manufacturing, IT, construction, and finance sectors, with victims reported in Asia, Australia, Italy, the United States, Thailand, and Taiwan. To pressure victims, the group employs a double extortion model, encrypting critical files while also threatening to leak stolen data.

So far, AhnLab confirms that “16 organizations in 16 regions have fallen victim to their attacks.”

DireWolf is unique in that it controls its execution entirely through command-line arguments rather than configuration files. Once launched, it uses a mutex check (Global\direwolfAppMutex) and an encryption marker file (C:\runfinish.exe) to prevent duplicate infections.

The malware then spawns a massive worker pool equivalent to eight times the number of logical CPUs, ensuring rapid file encryption but at the cost of extreme CPU usage and system slowdown.

Key anti-recovery measures include:

• Self-deletion routines to erase forensic evidence.
• Termination of Windows Event Log services to block monitoring.
• Deletion of shadow copies and backups using vssadmin and wbadmin.
• Disabling Windows Recovery Environment (WinRE).
• Targeted termination of databases, mail servers, virtualization platforms, and security tools such as MSSQL, Exchange, VMware, Veeam, and Sophos.

These tactics make recovery nearly impossible without paying the ransom.

The group employs a hybrid encryption scheme that combines Curve25519 key exchange with the ChaCha20 stream cipher. Each file receives a unique encryption key, ensuring robust cryptographic security.

As AhnLab explains, “Small files under 1 MB are fully encrypted, while large files over 1 MB have only the first 1 MB segment encrypted. This method provides a similar level of protection to full encryption while significantly increasing the processing speed.”

The resulting files carry the .direwolf extension, locking organizations out of critical systems.

Once encryption is complete, DireWolf drops a ransom note titled “HowToRecoveryFiles.txt” in every affected folder. Each note contains hard-coded victim identifiers, showing that breaches are carefully prepared in advance.

AhnLab notes that “the threat actor also uploaded some of the leaked files to a free file-sharing site, allowing them to be accessed and using this as a means of proving that the data had actually been stolen and threatening the victim.”

Related Posts:

• New Ransomware Tactics & Tools: An In-Depth Analysis of Emerging Threats
• Hackers Exploit Google Ads to Spread Malware Disguised as Popular Software
• Unmasking Play Ransomware: Tactics, Techniques, and Mitigation Strategies
• LockBit Ransomware: The Hidden Threat in Resume Word Files