ANUBIS Ransomware Group Targets Global Enterprises

A newly identified ransomware collective dubbed “ANUBIS” has surfaced on the dark web, targeting critical industries across four continents.

According to real-time threat intelligence from FalconFeeds.io, the group has already listed four victims on its leak site: U.S.-based First Defense Fire Protection and Angels of Summit, Peru’s S&E Peru Marketing Company, and Australia’s Pound Road Medical Centre.

Cybersecurity analysts warn that ANUBIS employs advanced ransomware-as-a-service (RaaS) infrastructure, combining data encryption with double extortion tactics to maximize pressure on victims.

The group’s rapid proliferation underscores the escalating sophistication of cybercriminal networks operating in unregulated digital spaces.

The Emergence of ANUBIS in the Cybercrime Ecosystem

ANUBIS represents a paradigm shift in ransomware operations by leveraging distributed command-and-control (C2) servers and dark web anonymity to evade detection.

Unlike historical iterations of malware sharing the “Anubis” moniker—such as the Android banking trojan active between 2017–2022—this new entity operates as a full-fledged RaaS provider.

This model allows affiliate hackers to deploy ANUBIS’s payloads in exchange for a share of ransom profits, accelerating its global reach.

Tactical Innovations in Attack Methodology

The group’s attacks begin with compromised credentials or phishing campaigns that grant initial network access.

Once inside, attackers deploy AES-256 encryption to lock critical files while simultaneously exfiltrating sensitive data.

This dual approach—known as double extortion—ensures victims face operational paralysis and reputational damage if ransoms go unpaid.

Forensic analyses reveal ANUBIS’s use of modular payloads that adapt to victim environments, enabling lateral movement through networked systems via PsExec and Windows Management Instrumentation (WMI).

Sector-Specific Impacts and Victim Analysis

First Defense Fire Protection, a U.S. fire safety provider, faces potential disruptions to emergency response systems due to encrypted operational data.

For healthcare providers like Australia’s Pound Road Medical Centre, ransomware-induced downtime could delay patient diagnostics and treatment schedules, directly endangering lives.

Meanwhile, S&E Peru Marketing’s compromised client databases threaten regional economic stability in South America’s burgeoning tech sector.

Financial and Legal Repercussions

Angels of Summit, a U.S. nonprofit, risks exposing donor financial records—a scenario that could trigger regulatory penalties under HIPAA and GDPR frameworks.

The group’s dark web leak site suggests a ransom deadline structure, though specific demands remain undisclosed.

Historical data indicates similar RaaS operations demand ransoms between $500,000 and $5 million in Monero or Bitcoin.

Mitigation Strategies for Modern Ransomware Threats

Cybersecurity firm FalconFeeds.io advocates for zero-trust network configurations, segmenting critical assets to contain breaches.

Endpoint detection and response (EDR) tools with behavioral analysis capabilities can identify anomalous processes like mass file encryption or unauthorized C2 communications.

Regular offline backups stored in geographically dispersed locations remain the most effective safeguard against encryption-based extortion.

Proactive Threat Hunting

Organizations must implement continuous network monitoring to detect early indicators of compromise, such as unusual PowerShell executions or failed login bursts.

Security teams should prioritize patching vulnerabilities in internet-facing systems—particularly VPN gateways and email servers—which accounted for 63% of ransomware attack vectors in 2024.

Collaborative Countermeasures and Law Enforcement Response

INTERPOL’s Global Cybercrime Program has initiated cross-border investigations to dismantle ANUBIS’s server infrastructure.

Private-sector alliances, including the Cyber Threat Alliance (CTA), are sharing IoCs like malware hashes and C2 IPs to strengthen collective defenses.

However, the group’s use of bulletproof hosting providers in jurisdictions with lax cyber laws complicates takedown efforts.

ANUBIS’s emergence highlights the dark web’s role as a force multiplier for cybercriminals. While international agencies work to disrupt these operations, enterprises must adopt assume-breach mentalities, integrating real-time threat intelligence into SOC workflows.

As ransomware evolves from a financial crime to a national security threat, the collaboration between governments, InfraGard, and ISACs will determine our collective ability to safeguard digital ecosystems.

Also Read:

Pharmaceutical Manufacturing Giant Targeted by LYNX Ransomware

See more