Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Ongoing Dire Wolf Ransomware Campaign

18 August 2025

There are reports of a newly emerged ransomware group, known as ‘Dire Wolf’. First identified in May 2025, the Dire Wolf group has launched targeted attacks against multiple sectors and regions.

Background

There are reports of a newly emerged ransomware group, known as ‘Dire Wolf’. First identified in May 2025, the Dire Wolf group has launched targeted attacks against multiple sectors and regions, with the ransomware group mainly targeting the manufacturing and technology sectors.

Impact

Dire Wolf ransomware group employs a double extortion tactic, where it encrypts data on victims’ systems and threatens to publicly release exfiltrated data on its data leak site (DLS) unless a ransom is paid. This causes a two-fold impact of data loss and reputational damage on victim organisations. Anti-forensics techniques have been observed in the Dire Wolf ransomware variant, which includes a multi-stage attack chain designed to verify successful encryption, evade detection and prevent data recovery.

Indicators of Compromise

Administrators are advised to monitor and block known Indicators of Compromise (IOCs) associated with the Dire Wolf ransomware variant. 

Possible IOCs associated with the Dire Wolf ransomware are shown in the table below:

Indicators of Compromise

Type

File Name

Hash

Win64 EXE

data345.exe

MD5: A71dbf2e20c04da134f8be86ca93a619

SHA-1: Ed7c9fbd42605c790660df86b7ec325490f6d827

SHA-256: 8fdee53152ec985ffeeeda3d7a85852eb5c9902d2d480449421b4939b1904aad

Win64 EXE

data345.exe (unpacked)

MD5: aa62b3905be9b49551a07bc16eaad2ff

SHA-1: 4a5852e9f9e20b243d8430b229e41b92949e4d69

SHA-256: 27d90611f005db3a25a4211cf8f69fb46097c6c374905d7207b30e87d296e1b3

Administrators are advised to monitor their systems and networks for the listed IOCs and review event and security logs for suspicious activity. They should also ensure that multiple backups are in place and tested, and apply appropriate security controls to detect and contain the Dire Wolf ransomware.

Additional Resources

Systems administrators may refer to CSA's advisory on how to protect their systems and data from ransomware threats here: https://isomer-user-content.by.gov.sg/36/01bb2d60-d6c3-4b29-9eec-845c43f2a2ff/singcert-advisory-protect-your-systems-and-data-from-ransomware-attacks.pdf

For organisations that are victims of a ransomware incident, please refer to CSA's ransomware response checklist here: https://isomer-user-content.by.gov.sg/36/5e2d519f-4261-4483-a4c6-1d36cffead8d/ransomware-response-checklist.pdf

References

https://www.broadcom.com/support/security-center/protection-bulletin/dire-wolf-ransomware

https://www.levelblue.com/blogs/spiderlabs-blog/dire-wolf-strikes-new-ransomware-group-targeting-global-sectors

https://otx.alienvault.com/pulse/6864dbf5ef57f2bd4ebb9cf3

Back to top