The Anubis ransomware-as-a-service (RaaS) operation, which has gained attention since its emergence in December 2024, has taken a troubling step forward by introducing a file-wiping module. This enhancement is designed to destroy targeted files, rendering recovery impossible, even if victims comply with ransom demands.
"What further sets Anubis apart from other RaaS and lends an edge to its operations is its use of a file wiping feature, designed to sabotage recovery efforts even after encryption," explained Trend Micro's latest report. The report highlights that this addition can put victims under increased pressure to settle negotiations swiftly rather than ignore or delay ransom payments.
"What further sets Anubis apart from other RaaS and lends an edge to its operations is its use of a file wiping feature, designed to sabotage recovery efforts even after encryption,"
Career Journey
Anubis initially resurfaced in early 2025, prompting an announcement about an affiliate program on the RAMP forum. Offers to affiliates included an impressive 80% revenue share for ransomware operators, a 60% cut for data extortion partners, and a 50% share for initial access brokers, potentially increasing its attack volume. Currently, the dark web operation’s extortion page lists eight victims, hinting that confidence in the malware's capabilities could soon bolster its activities.
The newly introduced wiper functionality employs the command-line parameter ‘/WIPEMODE’, requiring key-based authentication for activation. When engaged, this destructive feature deletes all file contents, shrinking their sizes to zero while maintaining the original directory structure and filenames. Thus, victims find their files seemingly intact, but rendered completely useless.
Research by Trend Micro further reveals Anubis's capabilities at launch, which include privilege elevation and target path commands, with essential system directories excluded to prevent total system dysfunction. "This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack," said Trend Micro.
"This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack,"
Anubis employs sophisticated tactics to evade detection; for example, it eliminates Volume Shadow Copies and ends processes that might hinder the encryption operations. The encryption is carried out using the ECIES (Elliptic Curve Integrated Encryption Scheme), with noted similarities to other ransomware variants like EvilByte and Prince. When files are encrypted, they receive the ‘.anubis’ extension, and an HTML ransom note will be generated in affected directories. Interestingly, the malware also attempts to alter the desktop wallpaper, though this step often fails.
Phishing emails containing malicious links or attachments have been identified as the primary vector for Anubis attacks, leading to more sophisticated threat landscapes.
In capturing the evolving threats posed by RaaS operations, cybersecurity experts emphasize the imperative for organizations to remain vigilant. The introduction of a file-wiping feature is more than just a technical enhancement; it signifies a concerning trend in ransomware strategies that further endangers potential victims. Trend Micro’s notation of the increasing dangers illustrates the necessity for robust response frameworks against such attacks.
Overall, the cybersecurity community watches closely as Anubis and similar ransomware strains adapt and innovate in their approaches. The enhanced threats presented by the introduction of a wiper and the aggressive affiliate structure indicate a trend toward escalated extortion techniques that could spell trouble for organizations susceptible to these attacks. As the landscape evolves, businesses must invest in proactive cybersecurity measures to protect themselves from the evolving tactics of cybercriminals.