Three new hacker collectives have emerged in intelligence reports, dubbed Battle Wolf, Twelfth Wolf, and Shadow Wolf. They are reportedly active in using ransomware to target Russian companies, encrypt data on infected systems, and demand payment for restoration. A recent Bi.Zone report discussed by socialbites.ca first identified these groups and described their operations as ongoing, with more than forty cyber incidents attributed to Russian targets by security experts who monitored the activity.
Details from the report show that at least fifteen sizable Russian organizations across diverse sectors have felt the impact. These sectors include science and industry, government, finance, and other important domains. The Twelfth Wolf is said to have attacked a major federal executive authority in Russia, an incident that attackers claim resulted in the exposure of confidential information. Shadow Wolf, meanwhile, is reported to focus its efforts on companies within the engineering, insurance, transportation, and media sectors.
Experts clarify that unlike War Wolf and Twelfth Wolf, Shadow Wolf appears to operate with purely financial motives rather than political aims. Communication with victims is described as taking place on dark web pages, with ransom notes that direct victims to these pages to decrypt and remove stolen data. This observation comes from Oleg Skulkin, who leads the cyber intelligence division in the Bi.Zone network analysis team.
Skulkin notes a common thread connecting all three groups: they are leveraging ransomware variants that trace back to well-known families used by other major hacker collectives, including Babuk, Conti, and LockBit. Reports allege that Battle Wolf, Twelfth Wolf, and Shadow Wolf assembled functional versions of malware by stitching together code fragments found on the dark web amid intergroup conflicts that have persisted for years. These disputes among prominent cybercrime organizations have grown more frequent since the start of geopolitical escalations, a trend that security researchers are watching closely.
According to Skulkin, today’s malware landscape is shaped by the ready availability of source code and toolkit components published online. This open accessibility lowers the barrier to entry for criminals, enabling cheaper and faster deployment of attacks. The result is a broader range of targets, including sectors that previously saw limited or no activity from major criminal networks. In this shifting environment, even regions and industries once considered less at risk may face heightened threat levels as criminal groups adapt and expand their capabilities.
The situation described by Bi.Zone underlines a growing pattern in ransomware operations: the shift from broad, opportunistic intrusions to more targeted campaigns aimed at specific industries and government-related entities. Security analysts emphasize that the evolving tactics require continuous vigilance, robust incident response planning, and international collaboration to mitigate risks and respond effectively when breaches occur. The report also highlights the strategic use of public, open-source malware components, which not only accelerates the attack cycle but also complicates attribution and defense in depth measures.
Context from recent public disclosures and cybersecurity analyses indicates that the rise of these wolf-named groups aligns with broader trends in cybercrime. The availability of ready-to-use ransomware kits and the ease of acquiring exploit techniques on the dark web contribute to a more dynamic and unpredictable threat landscape. As Russian organizations continue to fortify their digital defenses, security teams are urged to monitor for indicators associated with these families, strengthen data backup and recovery processes, and implement layered security controls to reduce the likelihood and impact of future incidents. Observers suggest that ongoing monitoring, rapid containment, and transparent incident reporting will be essential components of resilience in the face of expanding ransomware campaigns.