Full Report
Dire Wolf is a newly emerged ransomware group first observed in May 2025 and Trustwave SpiderLabs recently uncovered a Dire Wolf ransomware sample that revealed for the first time key details about how the ransomware operates.
Analysis Summary
# Threat Actor: Dire Wolf
## Attribution & Identity
This threat actor is identified as a new ransomware group referred to as "Dire Wolf." No specific attribution (nation-state or established criminal collective) beyond the nomenclature is provided in the context.
## Activity Summary
Dire Wolf's recent activity centers around deploying ransomware against various global sectors. The context highlights their appearance amid geopolitical tensions (Israel-Iran).
## Tactics, Techniques & Procedures
The analysis focuses heavily on post-exploitation and defense evasion techniques aimed at disabling backups and clearing event logs:
- Deleting Volume Shadow Copies:
- `vssadmin delete shadows /all /quiet`
- `wmic shadowcopy delete /nointeractive`
- Disabling/Deleting Backups:
- `wbadmin disable backup -quiet`
- `wbadmin delete backup -keepVersions:0 -quiet`
- `wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0 -quiet`
- `wbadmin delete catalog -quiet`
- Modifying Boot Configuration to Prevent Recovery:
- `bcdedit /set {default} recoveryenabled No`
- `bcdedit /set {default} bootstatuspolicy ignoreallfailures`
- Clearing Windows Event Logs:
- `wevtutil cl Application`
- `wevtutil cl system`
- `wevtutil cl security`
- `wevtutil cl setup`
*No explicit MITRE ATT&CK IDs were provided in the context.*
## Targeting
- Sectors: Global sectors targeted, including Financial Services, Government, Education, Healthcare, Hotels, Legal, and Manufacturing (based on Trustwave solution offerings mentioned adjacent to the report context).
- Geography: Global.
- Victims: Specific victim organizations are not named in the provided text.
## Tools & Infrastructure
- Malware Families Used: Ransomware (unspecified variant, deployed by Dire Wolf).
- Infrastructure (C2, domains, IPs):
- Data Leak Site (DLS): `hxxp://direwolfcdkv5whaz2spehizdg22jsuf5aeje4asmetpbt6ri4jnd4qd[.]onion`
- Identified File IOCs:
- `data345.exe` (Win64 EXE)
- SHA-256: `8fdee53152ec985ffeeeda3d7a85852eb5c9902d2d480449421b4939b1904aad`
- `data345.exe (unpacked)` (Win64 EXE)
- SHA-256: `27d90611f005db3a25a4211cf8f69fb46097c6c374905d7207b30e87d296e1b3`
## Implications
Dire Wolf represents a new, active ransomware threat targeting a broad range of industries globally. Their focus on rigorously eliminating recovery mechanisms (shadow copies, backups) indicates an intention to maximize the impact and encourage ransom payment.
## Mitigations
- Organizations must adhere to good security practices.
- Enable monitoring for the specific command-line techniques revealed in this analysis (especially those deleting shadow copies and clearing logs).
- Implement detection rules specifically looking for the listed command strings and Indicators of Compromise (IOCs).
- Utilize advanced threat hunting capabilities to search for related malware and malicious activities.