On 20 December 2023, there were reports of numerous ransomware events in Russia and across the Balkans, namely in Serbia and Macedonia. All the attacks were claimed by Werewolves, a newly emerging ransomware group that has been first tracked, in October 2023, by the Moscow, Russia-based cybersecurity company BiZone. According to this analysis, Werewolves historically targeted Russia and Belarus.
The December 2023 impacted various entities across sectors, including e-commerce, a shopping mall management in Serbia, hospitality with a large Russian hotel management business being targeted. At least two of the impacted entities play a role in critical infrastructure and state administration. Such organizations include:
The Russian energy supplier Gaztranscom. Based in Kazan, Russia, the company is operating in the Tatarstan region and is part of the TAIF Group, a large Russian investment holding. Gaztranscom appears to operate in conjunction with the Russian energy giant Gazprom and manages the GRS No. 2 Nizhnekamsk pipeline.
Macedonian government Agency for Electronic Communication (АГЕНЦИЈА ЗА ЕЛЕКТРОНСКИ КОМУНИКАЦИИ - AEK) which serves a regulatory body for the telecommunication sector in Macedonia.
Available intelligence on the Werewolves group is quite limited. All that is known comes from BiZone's analysis. There is subsequently no broader or alternative coverage of this threat actor. Based on BiZone's analysis alone, Werewolves' typical attack chain includes:
Leveraging phishing as an entry point. Phishing links were often generated leveraging the popular open source tool IP Logger.
Intrusion is performed via a remote access trojan (RAT). Deployment of the NetWire RAT has been frequently observed.
Themida has been often used to provide evasion capability alongside ability to load custom dynamic link library (DLL) files.
Indicators of compromise (IOCs) correlated to Werewolves-attributed events observed last October are consistent with command-and-control (C2) leveraging infrastructure located in the Netherlands as well as Namecheap-registered domain names, including one with a Ukraine-based registrant who - if such registrant records are to be believed - appears to leverage a Russian telephone number.
The attacks on Russia, Serbia and Macedonia were not the only linked to Werewolves. On 20 December 2023, the actor listed other victims, including organizations in the United States, France, Germany and the Netherlands.
Interestingly enough, Hackmanac reports a partial overlap between Werewolves and LockBit victims; six LockBit victims are also listed on the Werewolves leak site.