direwolf
Ransomware group profile
Description
Dire Wolf is a financially motivated ransomware group that emerged in May 2025 and quickly established itself through disruptive attacks across multiple regions. The group operates a dark web leak site and employs a double extortion model, demonstrating a clear emphasis on monetary profit over any political agenda.
Key insights
- •Gains initial access through spear-phishing, exploitation of exposed services, or weak credentials.
- •Employs a double extortion model, exfiltrating data before encryption and threatening to publish it.
- •Ransomware payload is written in Golang and often uses UPX for obfuscation.
- •Uses Curve25519 for key exchange and ChaCha20 for file encryption.
- •Targets include a variety of sectors with reported ransom demands reaching up to $500,000.
Threat Level & Status Breakdown
For direwolf · Based on incidents in selected period
No victim data for this group in the selected period.
Recent activity
Monthly attack count for direwolf in the selected period
Intelligence
IOCs, YARA/Sigma rules, and related families for direwolf
- 7f877830ebafb0b809b96bac7baf4435e235ab7835f695006ff779e6178c3638
- 831c6ffbe6e3b31a3e9aec27c79f7d42717e8c9d
- 4a5852e9f9e20b243d8430b229e41b92949e4d69
- f7f4e9366737ab6cc064bc2e5f062ae368e16bbefe845c962dd0c4e9ba919697
- 27d90611f005db3a25a4211cf8f69fb46097c6c374905d7207b30e87d296e1b3
- aa62b3905be9b49551a07bc16eaad2ff
- bc6912c853be5907438b4978f6c49e43
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for direwolf
T1486
T1486
T1490
T1490
T1021
T1021
T1562
T1562
T1078
T1078
T1021.001
T1021.001
T1547
T1547
T1059
T1059
T1047
T1047
T1489
T1489
Affected countries(34)
Countries where this group has been reported to target or leak victims.