New Group Dire Wolf Attacks
A new group, known as “Dire Wolf”, launched last month, has targeted 16 organizations worldwide, primarily in the manufacturing and technology sectors. The group deploys a double extortion technique for ransom and uses custom encryptors made for particular targets. Trustwave SpiderLabs experts recently found a ransomware sample from the Dire Wolf group and learned about its operations.
The targets were from 11 countries, and Thailand and the US reported the highest number of incidents. At the time of this story, the Dire Wolf had scheduled to post leaked data of 5 out of 16 victims on its website due to not paying ransoms.
"During investigation, we observed that the threat actors initially publish sample data and a list of exfiltrated files, then give the victims around one month to pay before releasing all the stolen data," said Trustwave Spiderlabs. The ransom demand from one of the victims was approximately $500,000,” it added.
A deep dive into the incident
The experts studied a Dire Wolf ransomware sample, which contained UPX- a common technique used by hackers to hide malware and restrict static analysis.
Upon unpacking, the experts discovered that the binary was in Golang, a language that makes it difficult for antivirus software to find the malware written in it. After execution, the ransomware checks for the encryption and presence of the mutex "Global\direwolfAppMutex" in the system to ensure a single operation runs at a time. If any condition is met, the ransomware removes itself and ends the execution.
If the condition is not met, the ransomware disables event logging and ends specific processes that can stop its completion. One such function is designed to “continuously disable Windows system logging by terminating the 'eventlog' process … by executing a Powershell command," experts said. It also stops apps and services, and executes a series of Windows commands to stop system recovery options.
How to stay safe
Dire Wolf reminds us that new threat actors are always emerging, even when infamous gangs such as LockBit and Ghost are disrupted. Organizations are advised to follow robust security measures, securing endpoints to stop initial access and also patch flaws in the systems to avoid exploits.
