Werewolves is a financially motivated ransomware and double-extortion threat actor known for targeting organizations in Russia, including Russian companies more broadly. The group has been observed stealing data and then using extortion pressure based on both encryption and threatened publication of exfiltrated information. Its public messaging indicates that it reviews stolen material for potential legal, commercial, and competitive value in order to increase leverage over victims. Reported tradecraft includes phishing and malicious email attachments for initial access, including exploitation of CVE-2017-11882. Post-compromise activity has included deployment of Cobalt Strike Beacon and Meterpreter, use of remote administration and reconnaissance tooling such as AnyDesk and NetScan, and abuse of LockBit-derived ransomware from the leaked LockBit builder. The group has therefore combined commodity intrusion tooling, hands-on-keyboard post-exploitation, and repurposed ransomware code in support of its operations. Werewolves is best characterized as a Russia-focused cybercriminal extortion group rather than a nation-state actor. It has been described as using classic double-extortion tactics while also adopting more coercive pressure methods centered on analysis and threatened exposure of stolen data. Known aliases include werewolves_group.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware operations using phishing lures and a consistent toolchain (remote admin, post-exploitation frameworks) with double extortion; uses Office exploit CVE-2017-11882 in delivery.
Double-extortion ransomware activity targeting Russian companies using a variant derived from leaked LockBit ransomware.
Ransomware operator claiming to analyze stolen data for legal/commercial/insider-information value to increase leverage and reputational harm against victims.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.