Anubis, a Ransomware-as-a-Service (RaaS) active since December 2024, poses a significant cyber threat by combining file encryption with an integrated file-wiping mechanism, making data recovery virtually impossible. It operates through a flexible affiliate model with customizable revenue splits and primarily targets the healthcare, construction, and other sectors across Australia, Canada, Peru, and the U.S. Initial access is typically gained via spear-phishing, followed by the use of ECIES encryption and the deletion of shadow copies. With its dual-threat capabilities and monetization through data extortion, Anubis continues to evolve as a high-impact ransomware variant in 2025.

‍

Technical Description

A relatively new entrant in the Ransomware-as-a-Service (RaaS) landscape, Anubis emerged last year and swiftly gained notoriety through a series of attacks targeting critical industries. The group stands out for its flexible affiliate program, offering multiple profit-sharing models: a standard RaaS option with an 80% payout to affiliates, a data theft-assisted extortion model where Anubis takes 60% of the proceeds, and a post-compromise extortion support model with a 50/50 revenue split.

‍

Background and Development:

Anubis first surfaced on cybercrime forums in December 2024, initially under the name “Sphinx.” Early samples displayed signs of being in development, including incomplete ransom notes that lacked TOR links and victim-specific IDs. By 2025, Anubis had evolved significantly, refining both its branding and operational functionality. The core malware remained largely unchanged from the original Sphinx variant, with the primary difference being the updated ransom note generation highlighting a consistent codebase with enhanced messaging capabilities.

‍

Affiliate Operations and Monetization Approach:

• Customizable Revenue Models:

Anubis promotes a flexible affiliate program with negotiable profit splits, marketed on cybercrime forums like RAMP and XSS under the aliases “superSonic” and “Anubis__media.”

• Diversified Extortion Tactics:

In addition to traditional ransomware deployment, Anubis supports affiliates through data extortion schemes and access monetization models, broadening its financial exploitation methods.

• Active Forum Engagement:

Since February 2025, Anubis has maintained an active presence on Russian-language cybercrime forums, advertising a “new format” affiliate model designed to foster long-term collaboration and sustained attacks.

‍

Victimology:

Anubis has publicly claimed responsibility for attacks on at least seven victims spanning sectors such as healthcare, engineering, and construction. These incidents have occurred across multiple regions, including Australia, Canada, Peru, and the United States. The group’s opportunistic targeting strategy, as reflected in its leak site disclosures, indicates a broad focus across both industries and geographies.

Attack Chain and Tactics:

File Removal and System Modifications:

Anubis’s destructive file-wiping capability, triggered using the /WIPEMODE parameter, irreversibly erases file contents, making recovery unfeasible. Upon execution, it drops two files—icon.ico and wall.jpg—into the C:\ProgramData directory. The ransomware replaces encrypted file icons with its custom logo and attempts to set wall.jpg as the desktop wallpaper, though this action was unsuccessful during testing. To further hinder recovery efforts, Anubis deletes Volume Shadow Copies and terminates various services to amplify system disruption.

‍

Encryption and Ransom Note

Anubis employs the Elliptic Curve Integrated Encryption Scheme (ECIES) for file encryption, implemented in the Go programming language. Its code shows similarities to the EvilByte and Prince ransomware families. Encrypted files are marked with the “.anubis” extension, and victims receive a ransom note titled “RESTORE FILES.html” that leverages double extortion tactics by threatening to leak stolen data if the ransom is not paid.

‍

Conclusion:

Anubis exemplifies an advanced Ransomware-as-a-Service (RaaS) operation, combining destructive file-wiping capabilities with a versatile affiliate program and multi-layered extortion strategies. These features highlight its adaptability and potential for significant widespread impact. Trend Vision One™ offers comprehensive detection and threat-hunting tools designed to effectively combat this evolving menace.

‍

Impact

Anubis undermines confidentiality by exfiltrating data and threatening public leaks, compromises integrity through both file encryption and irreversible wiping, and circumvents authentication via privilege escalation. By deleting shadow copies and disrupting critical services, it severely reduces system availability, leaving victims with few recovery options and increased urgency to comply with ransom demands.

‍

IOC and Context Details

Recommended Actions

• Email and Web Safety: Avoid opening attachments or links from unknown sources; use web filters to block malicious sites.

• Data Backup and Recovery: Regularly back up data using offline and immutable copies to enable recovery after attacks.

• Access Control: Restrict admin rights to essential users and monitor for unauthorized privilege escalations.

• Updates and Scanning: Keep security software updated and run regular scans to detect vulnerabilities and threats.

• User Training: Educate employees to recognize phishing and social engineering attacks.

• Multilayered Security: Use multiple security layers across endpoints, email, web, and networks for better protection.

• Sandboxing and Application Control: Analyze files in sandbox environments and block unauthorized apps or scripts.

• Monitoring and Detection: Use SIEM tools to detect unusual activity and respond quickly to threats.

• Network Monitoring: Track network behavior to identify suspicious actions and limit lateral movement.

References

https://www.securityweek.com/anubis-ransomware-packs-a-wiper-to-permanently-delete-files/

‍