The Titans on the Chessboard – Pergamon Status Diş Ticaret AŞ and the Direwolf Collective

Pergamon Status Diş Ticaret A.Ş. was founded in April 2001, employs 22 people, and is listed on Borsa İstanbul under the ticker PSDTC since November 12, 2014. As of mid-July 2025, its market capitalization is reported between TRY 740 million and TRY 855 million (≈ EUR 15.8 million–18.2 million), based on figures from StockAnalysis.com, Simply Wall St, Investing.com, İş Yatırım, and FT.com.

Public filings show Pergamon Status has processed over 130,000 customs entries, trading with 976 buyers and 19 suppliers. Its key partners include Keller & Kalmbach GmbH, Würth Industrie Service GmbH & Co KG, and Artistic Fabric Mills (Private) Ltd., forming a network that underpins its logistics leadership in Turkey’s export-import ecosystem.

Direwolf first emerged in May 2025 and has quickly gained notoriety for its double-extortion playbook. The group encrypts networks with ChaCha20 and Curve25519 ciphers, siphons off critical data, then threatens publication on a Tor-hosted leak site unless paid in cryptocurrency. Between May 27 and July 8, 2025, Direwolf publicly claimed 21 victims, maintaining an average 13.1-day window from breach to data dump announcement.

In Pergamon Status’s breach, attackers exfiltrated roughly 50 GB of Oracle, financial, import/export, tax, and audit records. They published a sample file list on July 20, 2025, with a full data dump scheduled for July 30. HookPhish’s timeline confirms the intrusion was detected at 12:55 UTC on July 20, 2025, underscoring Direwolf’s rapid, surgical tempo against a major Turkish trade firm.

The Silent Infiltration – How the Ice Cracked

On July 20, 2025, Direwolf published a sample file list on its Tor-hosted leak site, signaling the start of their public extortion campaign. Pergamon Status’s Security Operations Center first detected encrypted files on its primary file server at 12:55 UTC that same day.

Everything beyond these timestamps is an estimated attack path, reconstructed from Direwolf’s known tactics and industry-wide analyses:

• July 15, 2025, 03:20 UTC (estimated): A burst of brute-force login attempts—over 800 failed RDP authentications—from an IP linked to bulletproof hosting.

• July 15–18, 2025 (estimated): Reconnaissance via scanning open RDP ports and enumerating SMB/CIFS shares to map the network perimeter.

• July 18, 2025 (estimated): Credential harvesting using tools similar to Mimikatz and Pass-the-Hash techniques to escalate privileges on Windows domain controllers.

• July 18–20, 2025 (estimated): Lateral movement into critical systems, including the SAP S/4HANA logistics server and central Oracle database, remaining undetected by signature-based defenses.

• July 20, 2025, early hours (estimated): Exfiltration of roughly 50 GB of Oracle tables, financials, import/export logs, tax records, and audit documents—tunneled over HTTPS to a Tor hidden service. This transfer likely peaked at ~500 Mbps, completing in about 4 hours.

• July 20, 2025, 00:45 UTC (estimated): Deployment of custom ChaCha20-Poly1305 encryption across file servers.

• July 20, 2025, 00:52 UTC (estimated): The ominous howl.txt ransom note appears network-wide, declaring the breach and ransom demand.

By the time Pergamon Status’s defenders woke to the ransom note, Direwolf had already completed both data theft and encryption, leaving just the 48-hour countdown to pay or face full public data release.

The Aftermath – Fragments of a Fractured Network

When the first howl.txt ransom note surfaced, chaos rippled through Pergamon Status’s operations. By 12:55 UTC on July 20, 2025, core file servers were encrypted and a sample data leak had already been posted on Direwolf’s Tor site. The company faced an immediate dilemma: pay the ransom within 48 hours or watch full dossiers of sensitive Oracle tables, financials, import/export logs, tax records, and audit reports go live on July 30.

The breach’s real-world impact unfolded within hours:

• Order fulfillment ground to a halt (estimated): automated workflows in the SAP S/4HANA logistics platform went dark, stalling tens of thousands of monthly shipments to dental clinics across Europe and the Middle East.

• Client communications scrambled (estimated): emergency hotlines and dedicated email channels were stood up to reassure Pergamon Status’s network of 976 buyers.

• Incident response was mobilized (estimated): external consultants—likely from Germany or the UK—were flown in to perform forensics, isolate infected segments, and advise on decryptor negotiations.

• Regulatory obligations triggered (estimated): under Turkey’s KVKK data-protection law, Pergamon Status would have 72 hours to notify the Information and Communication Technologies Authority (BTK) and affected individuals.

Despite these efforts, traces of Direwolf’s intrusion lingered—ghost administrator accounts, encrypted snapshots in misconfigured backup vaults, and the ever-ticking countdown on the leak site. With the threat of a full data dump looming, Pergamon Status was forced to balance reputational risk against potential financial loss.

The Reckoning – Counting the Cost of Ice and Fire

As the dust settles on Pergamon Status’s fractured network, the financial toll of Direwolf’s double-extortion assault stacks up in the multi-million-euro range. Below is an estimated breakdown based on historical ransomware impact data and known Direwolf demands.

• Ransom payment demand:
  Direwolf’s early victims have faced demands around $500,000, suggesting Pergamon Status likely saw a similar figure—≈ €460,000.

• Incident response & recovery costs:
  Organizations hit by ransomware spend an average of $2.73 million on forensics, remediation, legal support, and system restoration—≈ €2,510,000.

• Operational downtime losses:
  With enterprise systems offline for roughly 24 days on average, and daily revenue at ≈ €2,600, Pergamon Status could have lost €62,400 in unfulfilled orders and labor inefficiencies.

• Regulatory fines & legal fees (estimate):
  Under Turkey’s KVKK data-protection regulations, late notifications and breach fallout can incur penalties and counsel fees. Assuming 2% of annual revenue, this rounds to about €20,000 (internal estimate).

Total Estimated Financial Impact:
≈ €3,052,400

Even on the low end—if Pergamon Status leveraged cold backups and negotiated a reduced payoff—their direct losses exceed €1 million, with upside risks if extended litigation or reputational harm materializes.

The Final Stand – A Tale of Triumph with Cy-Napea®

The smoke still hung over Pergamon Status’s shattered network when a new champion arrived: Cy-Napea®, the gleaming fortress of Aurora Consolidated Ltd. Born from the fires of countless cyberbattles, Cy-Napea® stood ready to shield every corridor of data with its unified SaaS arsenal—Advanced Threat Protection, EDR/XDR/MDR, Immutable Backups, and more. As Direwolf’s shadow loomed large, the defenders of İzmir found hope in these digital ramparts.

In the dead of night, when the first phishing arrow struck, Cy-Napea®’s Cybersecurity Awareness Training sprang to life. Employees, once unaware, now moved like sentinels:

• A procurement clerk paused at the sight of a spoofed shipping invoice.

• A logistics coordinator recognized the telltale signs of a fake IT support call.

• Staff rallied around the emergency channel, reporting the suspicious activity before a single credential slipped through.
  The human firewall crackled to life, closing the breach long before Direwolf could plant its claws.

Elsewhere, in the inbox trenches, Cy-Napea®’s Advanced Email Security cast a net of AI-driven filters. Malicious links dissolved into harmless phantoms, and impersonation attempts were flagged with blazing warnings. The forged “urgent update” from a supposed carrier never reached a single eye—Direwolf’s bait lay untouched, its hook snapped in midair.

When an enemy managed to slip inside the walls, Cy-Napea®’s EDR/XDR/MDR engines roared awake. Unusual processes—echoes of ChaCha20 encryption routines—were detected in real time. Infected hosts were sealed off by automated playbooks. Threat hunters, guided by Cy-Napea®’s deep telemetry, traced the intruders’ every step, severing exfiltration tunnels long before 50 GB of data ever saw the open internet.

And on the rarest of worst-case nights, when encryption swept through unprotected servers, Cy-Napea®’s Immutable Backups & One-Click Recovery turned back the clock. Air-gapped snapshots blinked into existence, restoring SAP and Oracle realms in a heartbeat. What could have been weeks of agony became mere hours of flickering screens and triumphant cheers.

Disclaimer: 

These scenes are drawn from public breach reports (Ransomware.live, HookPhish), market data (StockAnalysis.com, Simply Wall St, Investing.com, İş Yatırım, FT.com), and Cy-Napea®’s own materials. Actual outcomes may vary.

All Sources

1. Ransomware.live, “Ransomware Group Direwolf Hits Pergamon Status Dış Ticaret A.Ş.”

2. HookPhish, “Ransomware Group Direwolf Hits Pergamon Status Diş Ticaret A.Ş.,” July 2025.

3. StockAnalysis.com, “Pergamon Status (PSDTC) Market Cap,” June 27 2025.

4. Simply Wall St, “Pergamon Status Diş Ticaret Shares Information,” July 11 2025.

5. Investing.com, “Pergamon Status Diş Ticaret Market Cap,” July 18 2025.

6. İş Yatırım Corporate Research Portal, July 2025.

7. Financial Times, “PSDT C – Borsa İstanbul Data,” July 16 2025.

8. Trustwave SpiderLabs, “Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors,” June 24 2025.

9. Cloudwards.net, “The Latest Ransomware Statistics & Trends [Updated 2025],” April 25 2025.

10. Cy-Napea®, “Cy-Napea: Comprehensive Cybersecurity Platform,” 2025. 

11. Cy-Napea®, “How Cy-Napea® Could Have Saved Marks & Spencer from Cyber Catastrophe,” May 26 2025.