███████╗██╗ ██╗██╗██╗ ███╗ ███╗██╗ ██╗████████╗███████╗██╗ ██╗ ██╔════╝██║ ██║██║██║ ████╗ ████║██║ ██║╚══██╔══╝██╔════╝╚██╗██╔╝ █████╗ ██║ ██║██║██║ ██╔████╔██║██║ ██║ ██║ █████╗ ╚███╔╝ ██╔══╝ ╚██╗ ██╔╝██║██║ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝ ██╔██╗ ███████╗ ╚████╔╝ ██║███████╗ ██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗██╔╝ ██╗ ╚══════╝ ╚═══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝

⚠

DireWolf

ransomware1 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

DireWolf

CATEGORY:

RANSOMWARE

DESCRIPTION:

DireWolf (also known as Dire Wolf) is an emerging ransomware variant that employs double extortion tactics, encrypting victim files and threatening to publish stolen data. The ransomware group claims to be financially motivated with 'no morals, no political stance.' The malware creates a global mutex to prevent multiple instances from running simultaneously.

ALIASES:

Dire Wolf RansomwareDireWolf

TAGS:

file_encryptionransom_demandwindowsdouble_extortionemerging_threat

[MUTEX_SIGNATURES](1)

[MUTEX_01]

Global\direwolfAppMutex

ANALYST: @adhikara13 DATE: 2025-07-16

REFERENCES:

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dire-wolf-strikes-new-ransomware-group-targeting-global-sectors/

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠DireWolf Ransomware Group

FIRST_OBSERVED:

2025

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:1

THREAT_ACTORS:1

ALIASES:2

TAGS:5

CATEGORY:RANSOMWARE

Malware profile loaded successfully