New Dire Wolf Ransomware Attack Windows Systems, Deletes Event Logs and Backup-Related Data

A sophisticated new ransomware strain known as Dire Wolf has emerged as a significant threat to organizations worldwide, combining advanced encryption techniques with destructive anti-recovery capabilities.

The malware group first appeared in May 2025 and has since targeted 16 organizations across diverse industries including manufacturing, IT, construction, and finance in regions spanning Asia, Australia, Italy, and the United States.

Dire Wolf employs a double extortion strategy that not only encrypts victims’ data but also threatens to leak sensitive information publicly.

The group operates through darknet leak sites and communicates with victims via the Tox messenger platform, stating that their primary motivation is financial gain.

Within just months of their emergence, they have demonstrated a sophisticated understanding of enterprise environments and recovery mechanisms.

ASEC analysts identified several distinctive characteristics that set Dire Wolf apart from other ransomware families.

The malware demonstrates advanced technical capabilities through its combination of Curve25519 key exchange with ChaCha20 stream encryption, creating unique session keys for each encrypted file.

This cryptographic approach effectively blocks all known decryption methods, leaving victims with no recovery options beyond negotiating with the attackers.

The ransomware’s execution begins with argument-based control mechanisms, utilizing command-line parameters such as -d for directory targeting and -h for help functions.

Upon initialization, it performs protection checks using the system-wide mutex Global\direwolfAppMutex and searches for the completion marker C:\runfinish.exe to prevent duplicate infections.

Advanced Anti-Recovery and Evasion Techniques

Dire Wolf’s most concerning feature lies in its systematic destruction of recovery infrastructure.

The malware implements a persistent event log deletion mechanism that continuously monitors and terminates the Windows event log service.

This process involves executing PowerShell commands to identify the eventlog service process ID through WMI queries:-

Get-WmiObject -Class win32_service -Filter "name = 'eventlog'" | select -exp ProcessId

The malware then forcibly terminates the service using taskkill commands in an infinite loop, ensuring that even if administrators restart the service, it remains blocked throughout the attack.

Additionally, Dire Wolf systematically removes system restore points using commands like vssadmin delete shadows /all /quiet and disables Windows Recovery Environment through bcdedit /set {default} recoveryenabled No.

The ransomware proactively terminates critical processes including databases (MSSQL, Oracle), mail servers (Exchange), virtualization platforms (VMware), and backup software (Veeam, Veritas BackupExec).

After completing encryption, it creates the marker file, forces a system reboot with a 10-second delay, and executes a self-deletion routine to remove traces of the malicious executable, significantly complicating forensic analysis and incident response efforts.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.