Werewolves
Werewolves is a financially motivated ransomware and double-extortion threat actor known for targeting organizations in Russia, including Russian companies more broadly.
Profile source: Mallory opens in a new tabWerewolves
Family profile
Werewolves is a financially motivated ransomware and double-extortion threat actor known for targeting organizations in Russia, including Russian companies more broadly. The group has been observed stealing data and then using extortion pressure based on both encryption and threatened publication of exfiltrated information. Its public messaging indicates that it reviews stolen material for potential legal, commercial, and competitive value in order to increase leverage over victims.
Reported tradecraft includes phishing and malicious email attachments for initial access, including exploitation of CVE-2017-11882. Post-compromise activity has included deployment of Cobalt Strike Beacon and Meterpreter, use of remote administration and reconnaissance tooling such as AnyDesk and NetScan, and abuse of LockBit-derived ransomware from the leaked LockBit builder. The group has therefore combined commodity intrusion tooling, hands-on-keyboard post-exploitation, and repurposed ransomware code in support of its operations.
Werewolves is best characterized as a Russia-focused cybercriminal extortion group rather than a nation-state actor. It has been described as using classic double-extortion tactics while also adopting more coercive pressure methods centered on analysis and threatened exposure of stolen data. Known aliases include werewolves_group.
Ransomware.live