The Rise of Anubis: A Dual-Threat Ransomware
Overview of Anubis Ransomware
A new strain of ransomware, identified as Anubis, has emerged on the cybersecurity scene, presenting a notable risk due to its unique dual capabilities. This ransomware is not only able to encrypt files but also possesses the ability to permanently erase them. Such functionality marks it as a "rare dual-threat," increasing the severity of attacks against its victims.
What Makes Anubis Stand Out?
Researchers from Trend Micro, including Maristel Policarpio, Sarah Pearl Camiling, and Sophia Nilette Robles, recently released a report that outlines the alarming features of Anubis. The ransomware includes a ‘wipe mode’ which, when activated, irreversibly deletes files. Even if victims choose to pay the ransom, recovery is rendered impossible, elevating the stakes in negotiations with attackers.
Origins and Target Sectors
The Anubis ransomware-as-a-service (RaaS) operation kicked off in December 2024, with a diverse range of targets across multiple sectors including healthcare, hospitality, and construction. Victims have been reported in countries such as Australia, Canada, Peru, and the United States. Initial trials of the ransomware revealed that the developers initially referred to it as Sphinx before finalizing the Anubis brand.
The Mechanics of Attack
Unlike traditional ransomware, Anubis leverages a flexible affiliate program that supports various monetization strategies beyond the ransom itself. The program, designed for affiliates, features favorable revenue splits: contributors can receive up to 80% of the ransom, and even more through data extortion and access sales, splitting revenues 60-40 and 50-50 respectively.
Phishing Emails as Attack Vectors
Anubis attacks typically commence with phishing emails, which serve as the primary entry point for threat actors. From there, they escalate privileges and carry out reconnaissance on the network. A critical step in their attack chain involves deleting volume shadow copies before launching the file encryption process. If the wipe mode is triggered, the affected files are shrunk to 0 KB, leaving their names untouched but making them irretrievable.
Innovative Destructive Features
The ransomware comes equipped with a wiper feature that utilizes the /WIPEMODE parameter, effectively annihilating the contents of targeted files. According to Trend Micro’s findings, this capability significantly amplifies the pressure on victims, effectively forcing them to comply with ransom demands.
Industry Context and Implications
The emergence of Anubis occurs alongside a growing landscape of cyber threats, notably linked to the financially motivated hacking group FIN7. Recent analyses by Recorded Future have unveiled new infrastructures linked to FIN7, which misuse legitimate software products and services to distribute malware, including the notorious NetSupport RAT.
Distribution Methods and Evasion Tactics
Threat intelligence firm Recorded Future identifies diverse distribution methods that Anubis has used over the past year. During this time, the attackers employed counterfeit browser update pages, fraudulent 7-Zip download sites, and other infiltration techniques to facilitate the spread of the ransomware.
One of the methods, which loads a custom loader known as MaskBat, enables the execution of remote access trojans. In contrast, the other two vectors utilize a PowerShell loader called PowerNet to decompress and run code.
Recent Observations
Although all three distribution methods were initially observed operating simultaneously, the counterfeit 7-Zip download pages had emerged as particularly active, with new domains being registered as recently as April 2025. This underscores the ongoing evolution of Anubis and its distribution strategies.
Conclusion
The rise of Anubis poses a serious challenge to organizations globally, exacerbating the already critical issue of ransomware threats. With its advanced features and flexible monetization strategies, Anubis represents a significant adversary in the digital landscape, tests to the resilience of cybersecurity practices across industries. Staying vigilant and adopting enhanced security measures is essential as these threats continue to evolve.
