Introduction
The Anubis ransomware-as-a-service (RaaS) operator has emerged as a significant threat in the cybersecurity landscape due to its dual-threat capabilities. By combining traditional file encryption with a destructive data-wiping feature [2] [7], Anubis poses a formidable challenge to organizations across various sectors. This ransomware not only encrypts files but also has the ability to irreversibly delete data, making recovery impossible even if a ransom is paid [1] [4] [7].
Description
The Anubis ransomware-as-a-service (RaaS) operator has gained notoriety for its dual-threat capabilities [6] [7], combining traditional file encryption with a destructive data-wiping feature known as “wipe mode,” activated via the command-line parameter /WIPEMODE. This unique capability allows Anubis to irreversibly delete data by reducing targeted files to zero bytes while retaining their names in directory listings. As a result, even if ransom payments are made [3], recovery becomes impossible [2], significantly increasing pressure on victims to comply quickly [5] [8]. Once activated [1] [3] [7], the wipe mode systematically obliterates file contents and deletes Volume Shadow Copies, effectively removing built-in Windows recovery options and disabling backup services. This multi-layered approach maximizes damage and pressures victims into compliance [3], fundamentally changing the landscape of cyber defense by making traditional recovery methods, such as negotiating decryption keys [2], less effective [2].
Active since December 2024 [4] [5] [7], Anubis has targeted various sectors [7], including healthcare [4] [7], engineering [7], and construction [4] [7], affecting organizations across countries such as Australia, Canada [4] [7], Peru [4] [7], and the US [4] [7]. The ransomware employs sophisticated attack chains [7], beginning with phishing emails that trick employees into opening malicious attachments or links [8], granting attackers initial access to the network [8]. Following this, the attackers move laterally and utilize privilege escalation techniques to gain administrative rights, allowing them to execute destructive actions [7]. The encryption process utilizes the Elliptic Curve Integrated Encryption Scheme (ECIES) [3] [7], similar to that used by previous ransomware strains, appending the “.anubis” extension to files while altering system icons [7].
In addition to its destructive capabilities, Anubis enhances its psychological impact by dropping custom icons [7], changing desktop wallpapers [7], and delivering ransom notes that direct victims to a dark web chat portal [8], threatening to leak stolen data if demands are not met [1]. Initially observed as a prototype named Sphinx [7], Anubis has evolved into a polished threat with a negotiable affiliate program for revenue sharing [7]. This evolution signifies the emergence of hybrid ransomware [2], blending extortion with sabotage [2], emphasizing the critical need for robust backup and prevention strategies to counter its destructive capabilities and mitigate the risks posed by this sophisticated cyber threat. Security experts warn that victims noticing file sizes drop to 0 KB are likely experiencing the wiper function [8], underscoring the importance of prevention and rapid detection to avoid the dire choice between paying a ransom or losing all data [8].
Conclusion
The emergence of Anubis as a hybrid ransomware threat underscores the evolving nature of cyber threats, where traditional recovery methods are rendered ineffective. Organizations must prioritize robust backup solutions and implement comprehensive prevention strategies to mitigate the risks associated with such sophisticated attacks. As ransomware continues to evolve, the importance of rapid detection and response becomes paramount in safeguarding data and maintaining operational integrity. The Anubis case highlights the critical need for ongoing vigilance and adaptation in cybersecurity practices to counteract the growing complexity of cyber threats.
References
[1] https://securityonline.info/anubis-ransomware-new-raas-combines-encryption-with-permanent-data-wiping/
[2] https://undercodenews.com/anubis-ransomware-2025-the-rise-of-a-dual-threat-cyber-weapon/
[3] https://cybersecuritynews.com/anubis-ransomware-with-wipe-mode-that-permanently-erases-file/
[4] https://blog.netmanageit.com/anubis-a-closer-look-at-an-emerging-ransomware-with-built-in-wiper/
[5] https://clickcontrol.com/cyber-threat/new-ransomware-anubis-destroys-files-forever-even-paying-wont-get-your-data-back/
[6] https://www.infosecurity-magazine.com/news/anubis-ransomware-file-wiping/
[7] https://gbhackers.com/anubis-ransomware-introduces-irreversible-file/
[8] https://rhyno.io/blogs/cybersecurity-news/anubis-ransomware-emerges-with-a-destructive-twist/
