A new player has emerged in the cybercrime landscape, introducing a sophisticated form of ransomware characterized by a unique file-wiping feature. Anubis, which has been active since December 2024, combines traditional ransomware encryption with a destructive edge, raising alarms about its potential impact on critical sectors such as healthcare and construction.
"Anubis is a recently identified group that sets itself apart by partnering encryption with more destructive capabilities—wiping directories which severely impact chances of file recovery," said cybersecurity analyst Sarah Pearl Camiling. This dual-threat nature indicates a shift in tactics among cybercriminals, moving beyond straightforward data encryption to a more malicious intent of file destruction.
"Anubis is a recently identified group that sets itself apart by partnering encryption with more destructive capabilities—wiping directories which severely impact chances of file recovery,"
Team Dynamics
The roots of Anubis can be traced back to a sample known as Sphinx, which surfaced during the same month the group joined various cybercrime forums. The team at Trend™ Research noted similarities between the encrypted malware files of Anubis and Sphinx, pointing out, "When we compared the binaries of Anubis and Sphinx, they were highly identical with only a minor difference—the function that generated the ransom note."
Since its inception, Anubis has appeared on platforms like RAMP and XSS, where it actively engages with potential affiliates. "On February 23, 2025, 'superSonic' advertised a 'new format' of affiliate programs on the RAMP forum. All their proposed revenue-share structures are open to negotiation for long-term cooperation," shared cybersecurity expert Sophia Nilette Robles. This flexibility suggests that Anubis is keen on attracting a wide array of affiliates to expand its operational footprint.
As of now, the group has already listed seven victims on its leak site, targeting various industries across several countries, including Australia, Canada, Peru, and the United States. The diverse set of victims is indicative of Anubis’s opportunistic approach, as noted by Maristel Policarpio: "The wide range of targets suggests an opportunistic approach across different regions and industries."
What distinguishes Anubis from other RaaS operations is its optional file-wiping feature. This feature effectively increases the stakes for victims by making any potential recovery increasingly challenging. "This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack," explained Camiling. This tactic aims to compel victims to pay the ransom to avoid complete data loss, as detailed in the group’s attack chain.
"This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack,"
According to Trend™ Research, Anubis employs spear phishing as its primary method of gaining initial access. "The initial entry vector is established through spear phishing emails that include malicious attachments or links. These emails are carefully constructed to appear as if they come from trusted sources, luring recipients into opening the attachments or clicking the links," noted Robles. Once the malware is activated, it can encrypt files, and if the ransom is not settled, it may activate the wiper function.
In conclusion, Anubis exemplifies a new breed of ransomware that not only threatens digital files with encryption but also offers a destructively tactical layer with its wiping capabilities. This emerging landscape of ransomware-as-a-service will undoubtedly challenge organizations across sectors, urging them to adopt stronger cybersecurity measures to stave off potential attacks. As observed, Anubis's operational model reflects a continual evolution in cyber threats, emphasizing the need for vigilance and preparedness in an increasingly digital world.
