{
  "name": "Dire Wolf Ransomware: Threat Combining Data Encryption and Leak Extortion",
  "slug": "dire-wolf-ransomware-threat-combining-data-encryption-and-leak-extortion",
  "description": "The DireWolf ransomware group emerged in May 2025, targeting various industries globally. They employ a double extortion technique, encrypting data and threatening leaks. The ransomware uses Curve25519 key exchange and ChaCha20 encryption, generating unique keys for each file. It implements anti-recovery measures, terminating backup processes, deleting logs, and disabling recovery environments. The malware encrypts files, creates ransom notes, and self-deletes after scheduling a system reboot. DireWolf's sophisticated approach, combining encryption, anti-analysis techniques, and data leakage threats, poses a significant risk to organizations across sectors.",
  "published": "2025-09-03T15:31:15+00:00",
  "created_at": "2025-09-03T15:31:15+00:00",
  "modified_at": "2025-09-03T18:14:27+00:00",
  "created_at_opencti": "2025-09-03T15:31:15+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-09-03",
    "anti-recovery",
    "chacha20",
    "curve25519",
    "data leakage",
    "dire wolf",
    "double-extortion",
    "encryption",
    "ransomware",
    "self-deletion"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "7f877830ebafb0b809b96bac7baf4435e235ab7835f695006ff779e6178c3638"
      },
      {
        "id": "",
        "name": "27d90611f005db3a25a4211cf8f69fb46097c6c374905d7207b30e87d296e1b3"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:d18e3fd233ec362c",
        "name": "Dire Wolf",
        "slug": "dire-wolf"
      }
    ],
    "intrusion_sets": [
      {
        "id": "857deafb-da77-4e4c-98e8-5464f678ca83",
        "name": "DireWolf",
        "slug": "direwolf"
      }
    ],
    "attack_patterns": [
      {
        "id": "d9f271ed-7685-4362-b90d-f16a14102f39",
        "name": "T1489"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "af9ed2e3-4663-4723-beab-c606ddc312e0",
        "name": "T1543"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "fcd96dc0-500e-4354-bd97-5c65718a9004",
        "name": "T1562"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Australia"
      },
      {
        "id": "",
        "name": "Taiwan"
      },
      {
        "id": "",
        "name": "Italy"
      },
      {
        "id": "",
        "name": "Thailand"
      },
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Construction"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Manufacturing"
      }
    ]
  },
  "external_refs": [
    "https://asec.ahnlab.com/en/89944",
    "https://otx.alienvault.com/pulse/68b87b63cc3afd40e2e7d6c6"
  ]
}