Anubis RaaS Malware

A newly discovered ransomware strain has raised significant concerns within the cybersecurity community for its unprecedented dual capability: encrypting files and permanently erasing them. Described by experts as a 'rare dual-threat,' this malware includes a 'wipe mode' that renders data recovery impossible, even if a ransom is paid.

Meet Anubis: A Ruthless Ransomware-as-a-Service Operation

The ransomware operation, known as Anubis, emerged in December 2024 and has already claimed victims across healthcare, hospitality, and construction sectors in Australia, Canada, Peru, and the United States. Initial samples revealed that the malware was originally branded Sphinx, but the developers later rebranded it under the current name.

Importantly, this Anubis operation is not connected to the Android banking trojan or the Python-based backdoor also named Anubis, the latter being linked to the financially-motivated FIN7 (aka GrayAlpha) group.

Flexible Affiliate Program With High Payouts

Anubis operates under a Ransomware-as-a-Service (RaaS) model, offering affiliates lucrative incentives. The program includes:

• 80-20 split for traditional ransom payments (affiliates retain 80%)
• 60-40 split for data extortion schemes
• 50-50 split for access monetization (selling unauthorized access to systems)

These flexible, profit-sharing arrangements are designed to attract a wide range of threat actors.

Sophisticated Attack Chain: From Phishing to File Wiping

Anubis attacks typically begin with phishing emails as the initial point of entry. Once a system is compromised, attackers:

• Escalate privileges
• Conduct reconnaissance
• Delete volume shadow copies to prevent recovery
• Encrypt files
• Optionally wipe data if configured to do so

This sequence is designed to ensure maximum damage and psychological pressure on victims.

WIPEMODE: Turning Up the Heat on Victims

A standout feature of Anubis is the /WIPEMODE parameter, which enables the permanent deletion of file contents. Interestingly, the malware preserves file names and extensions but reduces the file sizes to 0 KB, making recovery efforts futile. This functionality greatly increases pressure on victims to pay, aligning with tactics used by aggressive and well-organized ransomware groups.

Conclusion: The Stakes Have Never Been Higher

With its combination of file encryption and irreversible data wiping, Anubis sets a dangerous new precedent in ransomware evolution. Its operational sophistication, monetization options, and destructive capabilities make it a formidable threat that organizations cannot afford to ignore. Vigilance, user awareness, and robust defense strategies are more critical than ever.