Deep Dive Analysis into Dire Wolf Ransomware - TTPs and IOCs

August 28, 2025

Executive Summary

The Singapore Cybersecurity Agency (CSA) and ThaiCERT have issued critical advisories on the Dire Wolf Ransomware group, highlighting its growing global operations. On 25 August 2025 alone, five new victims were confirmed, reflecting a rapid escalation in targeting. To date, there are 39 confirmed victims that span manufacturing, technology, finance, healthcare, and logistics sectors globally, showing high activity in Singapore, Thailand, Philippines, and Taiwan.

Dire Wolf employs an advanced double extortion model, encrypting files with Curve25519 + ChaCha20 algorithms while systematically exfiltrating sensitive data. Victims face both operational disruption and public data exposure on Tor-based leak sites, with ransom demands typically around USD $500,000.

The malware, written in Golang and UPX-packed, exhibits strong anti-forensic behavior including disabling Windows event logs, deleting backups, terminating processes, and employing mutexes to prevent reinfection. Its infrastructure relies on Tor hidden services and malicious domains (e.g., tor-browser.io), while ransom negotiations take place over qTox messaging.

The most recent high-profile attack occurred against Wine Works Australia (August 2025), confirming continued campaign activity. Protos Labs, leveraging Protos AI intelligence enrichment and TIPs, has compiled this report to provide defenders with updated TTPs, IOCs, and detection rules for effective monitoring and response.

Note: This report was produced with the assistance of Protos AI. Request demo of Protos AI here →

Background

Dire Wolf ransomware emerged in May 2025 and has since been linked to at least 39 confirmed victims worldwide. The group’s operations align with broader ransomware trends but stand out due to:

Consistent use of Golang binaries with UPX packing.

Aggressive anti-forensic techniques designed for rapid impact.

Secure, anonymous negotiation channels via qTox.

Potential signs of triple extortion tactics, such as DDoS or regulatory exposure (unconfirmed).

CSA’s advisory underlines the urgent need for organizations, particularly in manufacturing, technology, and finance, to strengthen incident response preparedness.

Victimology and Attack Mapping

Since May 2025, Dire Wolf ransomware has been linked to at least 39 confirmed victim organizations worldwide. The majority of these incidents have affected the manufacturing, technology, and finance sectors, though activity has also been observed in healthcare and logistics, reflecting the group’s willingness to target a wide range of critical industries. Geographically, attacks span at least 11 countries, including the United States, Thailand, Taiwan, Singapore, Italy, and Canada. Based on number of victims in the region, there appears to be focus on Singapore, Thailand, Philippines, and Taiwan.

The impact of these attacks is consistent across cases. Victims experience both file encryption and sensitive data theft, with stolen information published on Tor-based leak sites if ransom demands are not met. Ransom requests typically average around USD $500,000, and the resulting disruption often includes significant downtime and reputational damage. Attribution to Dire Wolf in these campaigns is assessed with high confidence, based on forensic analysis, ransom note artifacts, and corroborating activity on their leak site.

The most recent high-profile incident occurred in August 2025, when Dire Wolf targeted Wine Works Australia, an organization in the agriculture and food production sector. This attack followed the group’s established double extortion playbook, involving encryption, data theft, and exposure via the Tor leak site. The timeline aligns with Dire Wolf’s ongoing global campaign activity, and attribution is again assessed with high confidence, supported by malware sample hashes, ransom note content, and overlaps in Tor-based infrastructure with earlier campaigns.

Technical Tactics, Techniques, and Procedures (TTPs)

To better understand Dire Wolf’s operational playbook, we map their observed and suspected behaviors to the MITRE ATT&CK framework. This provides defenders with a structured view of how Dire Wolf gains access, executes ransomware, evades defenses, and pressures victims into ransom payment. The techniques listed below highlight both confirmed and suspected tradecraft, with ATT&CK identifiers to support alignment with existing detection and response controls. Refer to Annex for the summarized list

Core Ransomware Operations

Double Extortion Model (T1486, T1657)

Dire Wolf consistently employs a double extortion model, combining strong encryption with systematic data theft. Victims are threatened with public exposure via a Tor-based leak site if ransom demands (around USD $500,000) are not met. This tactic maximizes leverage against victims and accelerates ransom negotiations.

Advanced Encryption (T1486)

Payloads utilize Curve25519 for key exchange and ChaCha20 for file encryption, providing robust cryptographic protection and complicating recovery efforts. These algorithms are considered modern and secure, making brute-force recovery of files infeasible.

Malware Development (T1027.002)

The ransomware is written in Golang and protected with UPX packing, impeding reverse engineering and static analysis. This development choice also makes the malware highly portable across platforms, increasing its resilience and complicating detection.

Anti-Forensics & Evasion (T1562.002, T1490, T1562.001, T1489, T1070.004, T1480)

Disables Windows event logs and deletes system backups/shadow copies, hindering forensic investigation and preventing recovery.

Terminates security, administrative, and productivity processes, maximizing operational disruption and slowing incident response.

Employs mutexes to prevent multiple executions, and in some cases self-deletes after execution to reduce its forensic footprint.

These behaviors demonstrate an intentional design to frustrate defenders and increase the operational cost of recovery.

Negotiation & Communication (T1491.001, T1071.003, T1041)

Ransom notes are customized per victim, including unique qTox IDs for live chat negotiation.

Attackers provide proof of data exfiltration, both to validate the threat and increase psychological pressure on victims.

This live negotiation channel through secure peer-to-peer messaging is unusual, further complicating tracking and takedown.

Infrastructure (T1048.003, T1090.003)

Dire Wolf operates a data leak site hosted on the Tor network.

The group relies on onion routing and Tor-based infrastructure for anonymity, resilience, and to make law enforcement takedown attempts more difficult.

Malicious domains tied to the campaign include tor-browser.io and associated subdomains.

This infrastructure reflects an operational preference for anonymity, persistence, and blending into known Tor-based criminal ecosystems.

Initial Access Vectors (T1566, T1190, T1078, T1021, T1059.001, T1047, T1021.002, T1598, T1598.004)

While specific vectors remain unconfirmed, Dire Wolf likely employs common ransomware entry points:

Phishing emails with malicious attachments or links.

Exploitation of VPN vulnerabilities (e.g., Ivanti Connect Secure).

Use of stolen credentials for valid account access.

Living-off-the-land techniques leveraging PowerShell, WMI, and PsExec for lateral movement.

Social engineering campaigns, potentially enhanced by AI, leveraging malicious domains (e.g., tor-browser.io) and voice phishing (vishing) for credential harvesting.

These entry vectors are consistent with broader ransomware campaigns, but enrichment shows Dire Wolf’s focus on multi-layered access methods.

Credential Dumping (T1003.001)

Use of tools such as Mimikatz for credential extraction and privilege escalation, enabling further lateral movement within victim environments.

Living-off-the-Land (T1059, T1078)

Abuse of legitimate system tools (PowerShell, WMI, PsExec) to execute commands and move laterally while evading detection. This makes the activity blend with normal administrative operations.

Process Termination (T1489)

Aggressive termination of security, monitoring, and productivity processes to maximize operational impact and reduce the ability of defenders to respond.

Triple Extortion (Potential) (T1498, T1657)

While not confirmed in recent Dire Wolf campaigns, some evidence suggests potential escalation to triple extortion:

DDoS attacks to further pressure victims.

Threats of regulatory or media exposure in addition to encryption and data theft.

This represents a possible evolution of Dire Wolf’s tactics in line with the broader ransomware ecosystem.

Download summary of Dire Wolf TTPs here →

Indicators of Compromise (IOCs) – Comprehensive Inventory

Beyond tactics and procedures, Dire Wolf’s operations leave behind observable technical footprints that can support detection and response. The following Indicators of Compromise (IOCs) have been extracted from confirmed Dire Wolf ransomware samples, enriched via VirusTotal and threat intelligence feeds, and validated against multiple sources. These IOCs provide defenders with actionable artifacts for detection, hunting, and correlation across logs, endpoint sensors, and network monitoring tools. While not exhaustive, this inventory captures the most reliable file hashes, domains, infrastructure elements, and related malware families linked to recent campaigns.

File Hashes (Malware Samples)

27d90611f005db3a25a4211cf8f69fb46097c6c374905d7207b30e87d296e1b3

Golang-based Dire Wolf ransomware sample; confirmed by multiple sources.

8fdee53152ec985ffeeeda3d7a85852eb5c9902d2d480449421b4939b1904aad

Additional confirmed Dire Wolf ransomware binary.

00065b7aeaa41e3aa52cf94be0f63afdd92e04799935d612f2451bcf4b1fb704

Malicious file detected by 66 AV engines; tags include runtime-modules, direct-cpu-clock-access.

Domains & URLs

Leak Site: hxxp://direwolfcdkv5whaz2spehizdg22jsuf5aeje4asmetpbt6ri4jnd4qd[.]onion (Tor network)

Malicious Infrastructure: tor-browser[.]io (malicious domain, C2 server, used in social engineering campaigns)

Subdomains:

www.tor-browser[.]io

sitemaps.tor-browser[.]io

sitemap.tor-browser[.]io

Victim Domain Example:

Uppenterprises[.]com (recently targeted by Dire Wolf)

Filenames

direwolf.exe

Suspected malware filename; requires hash for further enrichment.

Related Malware Families

AgentTesla, Dridex: These malware families are referenced in relation to Dire Wolf’s infection chains, particularly for credential theft and initial access.

Enrichment and Context

All IOCs have been cross-referenced with VirusTotal and threat intelligence feeds for reputation, detection rates, and technical context.

Malicious domains and file hashes are confirmed by multiple AV engines and threat intelligence sources.

Subdomain enumeration and DNS lookups have not yielded additional infrastructure, indicating a focused or minimal public footprint.

Limitations & Data Gaps

Initial access vectors remain unconfirmed; phishing and VPN exploits are suspected but not conclusively documented.

Infrastructure attribution is incomplete, with several domains and IPs unresolved or lacking public visibility.

Incident details (e.g., Wine Works Australia) are limited, with no direct infrastructure publicly tied to the victim.

Conclusion

Dire Wolf ransomware continues to pose a significant threat to global manufacturing, technology, and finance sectors, with a recent surge in double extortion attacks across 11 countries. The group’s technical sophistication, advanced encryption, anti-forensics, and targeted infrastructure, demands robust sector-specific defense, incident response, and insurance risk assessment. Organizations should prioritize patching, phishing resistance, credential protection, proactive monitoring for IOCs, resilient backups, and a well-rehearsed incident response plan. Continuous threat intelligence enrichment and sector collaboration remain essential.

Sources