ThaiCERT warns of Dire Wolf ransomware

The Thailand Computer Emergency Response Team (ThaiCERT) on Tuesday urged large organisations in Thailand to strengthen their cyber security measures against attacks from Dire Wolf ransomware, which has already targeted organisations in 11 countries.

ThaiCERT noted that, unlike older, more indiscriminate ransomware campaigns, Dire Wolf is highly targeted. The group focuses on specific, high-value organisations that are less able to suspend operations and are therefore considered more likely to pay large ransoms.

According to ThaiCERT, Dire Wolf has attacked 16 organisations across 11 countries, including the United States, Thailand, Taiwan, Singapore, India and Indonesia.

A new and emerging threat

Dire Wolf is the name of a newly emerged ransomware group and its associated malware. It first appeared in May 2025 and has quickly become a significant threat, primarily targeting organisations in the manufacturing and technology sectors worldwide.

The group employs a “double extortion” tactic, increasingly common among ransomware actors. They not only encrypt the victim’s data but also exfiltrate (steal) large volumes of sensitive information. Victims are then threatened with public release of the stolen data on a leak site if they fail to pay the ransom. This raises the stakes, exposing organisations not only to data loss but also reputational harm and possible legal consequences.

How the malware works

The Dire Wolf malware is designed to make recovery difficult. It can:

• Terminate various system services and processes.
• Delete backups and “Volume Shadow Copies” used for system restoration.
• Disable Windows event logs to conceal its activity.

Defence measures recommended by ThaiCERT

ThaiCERT advised that the best defences against Dire Wolf ransomware are the same as for other major ransomware threats:

• Proactive cyber hygiene: Keep all systems and software up to date with the latest security patches.
• Robust backups: Maintain regular, secure and off-site backups of critical data, which provide the most effective way to recover without paying a ransom.
• Multi-factor authentication (MFA): Implement MFA on all accounts, especially for remote access, to prevent misuse of stolen credentials.
• Network segmentation: Limit attackers’ ability to move laterally within the network and compromise multiple systems.
• Endpoint security: Use up-to-date antivirus and endpoint detection and response (EDR) tools to detect and block malicious behaviour.
• Employee training: Educate staff to recognise and report phishing attempts and other social engineering techniques, which remain a common entry point for attackers.