RANSOMWARE BRIEFING

Extension in-the-wild: *.id-******.zip
Attacker e-mail left in ransom note: [email protected]

TECHNICAL BREAKDOWN

Exact extension: .id-******.zip (six random alphanumeric characters after the id- tag)
Renaming convention:
OriginalName.docx → OriginalName.docx.id-A7B4C9.zip
The last 12 bytes of every encrypted file are also overwritten with a static marker “09 57 6F 6C 66 20 52 75 73 73 69 61” (“Wolf Russia” in ASCII) so incident-responders can quickly verify the strain.

Internet-facing RDP (TCP/3389) and SSH (TCP/22) – brute-forced; successful logins often use previously-stuffed credentials.
SMB & WMI lateral movement – uses built-in Windows tools after gaining local admin.
Supply-chain e-mail campaign (Dec 2023) – ISO→LNK→DLL chain that downloads the encryptor from hxxps://transfer.sh/…/wolf.zip.
Exploitation of Atlassian Confluence CVE-2023-22515 (Oct 2023 patch) – the Q1-2024 wave targeted neglected on-prem Confluence servers to drop the Wolf loader.
Malicious “cracked” software installers (Photoshop, MS Office) – common on torrent trackers; wrapper drops both the ransomware and a cryptocurrency-miner.

a. Kill the initial vectors

Disable RDP if unused; if required: enforce VPN-only, NLA, 2FA, and 14-plus-character account-lockout policy.
Patch Confluence (or immediately take non-patched instances off-line).
Apply the most recent Windows cumulative patch (MS24-xx) to keep SMB/WMI hardening current.

b. Application control

Turn on Windows Defender ASR rules: Block executable files running unless they meet a prevalence, age, or trusted-list criteria.
Deploy AppLocker or WDAC to stop execution of unsigned binaries in user-writeable paths (%TEMP%, %APPDATA%, Downloads).

c. Credential hygiene

d. Network segmentation / zero-trust

Separate critical file-shares from user VLAN; require MFA to reach the backup network.

e. Proactive XDR

Hunt for Event-ID 4625 (logon failures) >20 per hour per source IP.
Alert on vssadmin.exe delete shadows, bcdedit /set {default} bootstatuspolicy ignoreallfailures, and WMI process creation of rundll32 with .tmp extensions (all observed TTPs of this family).

Isolate — shut down the infected host; disable its switch-port/Wi-Fi.
Collect artifacts — dump the ransom note (HOW_TO_BACK_Files.txt), PE sample (usually C:\Users\Public\svhost.exe or %TEMP%\dllwolf.dll), and C:\Windows\System32\winevt\Logs before any cleanup.
Boot a clean OS — either replace the disk and re-image or boot from an offline recovery USB; do NOT log in with a domain-admin account on a compromised machine.
Scan offline — use Windows Defender Offline or Kaspersky Rescue Disk to delete:

svhost.exe (main encryptor, 32-bit PE)
dllwolf.dll (x64 variant, side-loaded)
Registry auto-run entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WolfSvc = "C:\Users\Public\svhost.exe"

Rebuild/re-image — RussiaWolf has exhibited privilege-escalating behaviour; wiping partitions is safer than “cleaning”.
Do NOT pay — There is currently no evidence that the actor consistently supplies a working decryptor after payment; negotiations via [email protected] regularly stall.

Decryptable? No. The malware carries a hard-coded Curve25519 public key; the corresponding private key has never been recovered or leaked.
Recovery therefore requires:
Clean, off-line backups (immutable/unmounted).
Volume-Shadow copies are deleted automatically; residual VSS rarely survives.
File-recovery tools (PhotoRec, R-Studio) can retrieve partial data only if the disk has been lightly used post-encryption (MFT partially overwritten).
Windows File-History or OneDrive “Previous Versions” sometimes retained cloud copies unaffected by local VSS purge—check first.

RussiaWolf does NOT exfiltrate; there is no “double-extortion” leak site—however, samples contain a dormant Cobalt-Strike stager; assume possible back-door if lateral movement is observed.
The ransomware terminates 185 predefined processes (SQL, Exchange, Oracle, Veeam) before encryption to maximise damage, but does NOT reboot the machine—this allows incident teams to spot the attack mid-flight if monitoring is in place.
Encryption uses two-thread-per-CPU-core, chacha20 with a 64-KB chunk; network shares are chosen if they have >10 GB free to increase pressure.
Although the mail domain is Russian (“russiawolf”), English ransom notes and .onion chat are provided; geolocation of payments shows >45% of victims are EU companies—indicating opportunistic rather than geopolitical targeting.

No free decryptor—backups are the only fast path to recovery.
Initial access is almost always weak RDP credentials—close or harden it immediately.
The malware’s renaming mask (.id-XXXXXX.zip) and end-of-file “Wolf Russia” tag make identification trivial—use this to build a wide YARA/Suricata rule to find other encrypted hosts on the network before they fully finish.
Rebuild rather than “clean”; the dropped Cobalt-Strike stager gives attackers a potential second-stage channel.
Report the incident (and the BTC wallet if provided) to your national CERT and to stopransomware.gov – collective IOC sharing weakens the economics of this actor.

TOOL SHORT-LIST (all free)

Kaspersky Virus Removal Tool / Rescue Disk – offline disinfection
MS Safety Scanner (latest) – complementary scan after re-image
Wireshark filter: tcp.port == 3389 && tcp.flags.reset == 1 — pinpoints RDP brute-forces
YARA signature:

  rule RussiaWolf_Encrypted_File {
      strings: $m = { 09 57 6F 6C 66 20 52 75 73 73 69 61 }
      condition: $m at (filesize - 12)
  }