🐺 Dire Wolf Ransomware – Malware Analysis Report

1. Executive Summary

Dire Wolf is a newly emerged ransomware group first observed in May 2025. This double-extortion threat encrypts files and threatens to leak exfiltrated data to pressure victims into payment. The malware is written in Golang, packed with UPX, and employs anti-forensics, in-memory process execution, and aggressive termination of security-related services and processes to evade detection and disable defenses.

2. Malware Overview

3. Infection & Execution Flow

Execution Flow
  1. User or system executes packed Golang binary
  2. Initial Checks:
    • Checks for runfinish.exe marker file
    • Checks for mutex Global\direwolfAppMutex
  3. If infected → Self-deletes using: cmd /C timeout /T 3 & del /f /q <path_to_self> & exit
  4. Disables Windows Event Logging via PowerShell and taskkill
  5. Terminates up to 75 services & 59 processes (AV, backups, DBs, productivity tools)
  6. Deletes backups and disables recovery using commands like vssadmin, wbadmin, bcdedit, and wevtutil
  7. Encrypts files (excludes system/critical files) using Curve25519 + ChaCha20
  8. Appends .direwolf extension
  9. Drops ransom note with leak proof link, chat portal login, and countdown timer
  10. Self-deletes and optionally reboots system

4. Static Analysis

5. Dynamic Analysis

5.1 Backup & Recovery Destruction (Updated)

This function is responsible for removing backup options, disabling recovery mechanisms, and clearing event logs, to prevent forensic investigation or system restoration post-encryption. The following Windows commands are used:

These are followed by boot and recovery option modifications:

Finally, the malware clears key event logs using wevtutil

These actions make incident response and system recovery significantly more difficult, reinforcing Dire Wolf’s destructive capabilities before ransom negotiations.

5.2 Service & Process Termination

Stops and disables 75 hardcoded system services (AV, backups, DBs, etc.) and terminates 59 key processes repeatedly to disable defense and recovery tools.

6. Encryption Process

7. Data Leak Site

8. Indicators of Compromise (IOCs)

Type Value
Mutex Global\direwolfAppMutex
File Marker C:\runfinish.exe, xfssvccon.exe
Packed File Hash (data345.exe) MD5: A71dbf2e20c04da134f8be86ca93a619
SHA-1: Ed7c9fbd42605c790660df86b7ec325490f6d827
SHA-256: 8fdee53152ec985ffeeeda3d7a85852eb5c9902d2d480449421b4939b1904aad
Unpacked File Hash (data345.exe) MD5: aa62b3905be9b49551a07bc16eaad2ff
SHA-1: 4a5852e9f9e20b243d8430b229e41b92949e4d69
SHA-256: 27d90611f005db3a25a4211cf8f69fb46097c6c374905d7207b30e87d296e1b3

9. Impact & Threat Landscape

MITRE ATT&CK Tactics & Techniques

10. Mitigation & Recommendations

11. Conclusion

Dire Wolf represents a sophisticated, financially motivated ransomware threat leveraging robust encryption, process manipulation, and double-extortion tactics. Its use of Golang, UPX packing, process/service termination, and self-deletion makes it elusive to traditional defenses. Early detection and proactive containment are crucial.