Dire Wolf is a newly emerged ransomware group first observed in May 2025, already making a significant impact with targeted attacks against organizations worldwide. As of late June 2025, the group has claimed at least 16 victims across 11 countries, with the United States, Thailand, and Taiwan among the most affected nations. The group’s primary targets are in the manufacturing and technology sectors, but its reach is global and expanding.
Double Extortion Model
Dire Wolf employs a double extortion tactic: not only does it encrypt victims’ files, but it also exfiltrates sensitive data, threatening to publicly leak this information unless a ransom is paid. This approach increases pressure on victims by adding reputational and regulatory risks to the immediate operational impact of file encryption.
Ransomware Features
The ransomware is written in the Go programming language, which is favored by attackers due to its cross-platform capabilities and challenges for antivirus detection. Initial samples are packed with UPX to hinder analysis.
Before encrypting, Dire Wolf checks for previous infections using a marker file (“runfinish.exe”) and a mutex (“Global\direwolfAppMutex”). If found, it self-deletes and exits to avoid redundant attacks. The ransomware disables Windows Event Logs, terminates over 75 services (including major antivirus solutions), and kills 59 processes tied to productivity and database software.
It aggressively deletes backups and disables recovery systems using commands like vssadmin delete shadows /all /quiet and wbadmin delete catalog -quiet, and clears event logs to hamper forensic recovery. Files are encrypted using Curve25519 and ChaCha20 algorithms, with the “.direwolf” extension appended to affected files.
Each attack drops a personalized ransom note containing a hardcoded room ID, unique login credentials for a live chat room, and a link to a sample of exfiltrated data as proof. This setup enables direct negotiation between the victim and the attackers.
Victim Count and Sectors
As of June 2025, 16 organizations are publicly listed as victims, spanning 11 countries. The US and Thailand have the highest number of attacks, with the manufacturing and technology sectors most frequently targeted. Notable victims include the Legal Practice Board of Western Australia, which confirmed a breach involving 300 GB of data, including contact details and bank account information, and Thairung Group, a major automotive company in Thailand.
Leak Site and Extortion Process
Dire Wolf operates an onion-based data leak site (last located at http://direwolfcdkv5whaz2spehizdg22jsuf5aeje4asmetpbt6ri4jnd4qd.onion) where it posts lists of exfiltrated files and sample data for each victim. Victims are typically given about one month to pay the ransom before all stolen data is publicly released. Ransom demands have reached up to $500,000. The group’s communications and ransom notes emphasize financial motivation, explicitly stating they have no political or ideological agenda.
Notable Incidents
• Legal Practice Board of Western Australia: Confirmed as a Dire Wolf victim, with the attackers threatening to release 300 GB of data in stages. The board took systems offline and is working with authorities, while a court injunction was obtained to prevent the dissemination of stolen data.
• Thairung Group: A leading Thai automotive company suffered a breach, highlighting the group’s focus on manufacturing and the Asia-Pacific region.
Dire Wolf ransomware group summary
| Attribute | Details |
|---|---|
| First Observed | May 2025 |
| Number of Victims | 16 (publicly listed as of June 2025) |
| Main Sectors Targeted | Manufacturing, Technology |
| Main Countries Affected | US, Thailand, Taiwan |
| Ransomware Language | Golang |
| Attack Model | Double extortion (encryption + data theft/leak) |
| Ransom Demands | Up to $500,000 |
| Leak Site | Onion-based, posts sample data and file listings |
| Notable Victims | Legal Practice Board of Western Australia, Thairung Group |
| Motivation | Financial (no political/ideological claims) |
