The ransomware landscape continues to evolve with the emergence of Anubis, a sophisticated Ransomware-as-a-Service (RaaS) operation that has quickly distinguished itself in 2025 by integrating both file encryption and file wiping functionalities.
This rare dual-threat capability means organizations victimized by Anubis not only face the risk of having their data encrypted for ransom, but also of experiencing irreversible data destruction even if they comply with extortion demands.
First surfacing in December 2024, Anubis has established itself across cybercrime forums, including RAMP and XSS, by offering a flexible affiliate program.
Unlike typical RaaS platforms that rely solely on double extortion (encryption plus threat of data leakage), Anubis expands its criminal ecosystem by supporting revenue-sharing arrangements in data extortion and unauthorized access sales.
The group, acting under aliases such as “supersonic” and “Anubis__media,” negotiates affiliate terms directly, indicating a calculated approach to recruitment and monetization.
Attack Chain Analysis
Anubis leverages spear-phishing as its primary initial access vector (MITRE ATT&CK T1566), with emails crafted to imitate trusted communications and bearing malicious attachments or links.
Upon execution, the ransomware accepts a range of command-line parameters to control its activity including keys for encryption, privilege escalation flags, explicit file or directory paths, and critically, a ‘/WIPEMODE’ option to trigger permanent file destruction.
Privilege escalation (T1134.002) is achieved through access token manipulation and administrative privilege checks, with fallback prompts and self-relaunching behaviors that reflect ongoing refinement of the malware’s codebase.
For defense evasion (T1078), Anubis verifies account privileges and can restart itself with elevated permissions to evade security controls.
File and directory discovery (T1083) is performed with deliberate exclusions for critical system directories to maintain OS stability during and after execution.
Once active, Anubis inhibits system recovery by purging all Volume Shadow Copies (T1490) with commands like vssadmin delete shadows, and disables or terminates relevant services to ensure data cannot be restored from backups or snapshots.
Encryption and Data Destruction
File encryption leverages the Elliptic Curve Integrated Encryption Scheme (ECIES), with technical similarities to previous ransomware such as EvilByte and Prince.
Files are renamed with the “.anubis” extension, while system icons and desktop wallpapers are manipulated to reinforce the attacker’s branding, though some attempts have failed in practical testing.
Where Anubis is especially notable is in its unique ‘wipe mode’ (T1485 Data Destruction).
When this functionality is enabled, targeted files are not just encrypted, but have their contents irreversibly deleted leaving behind zero-byte files and making professional data recovery efforts futile.
According to Trend Micro Report, this strategic addition turns Anubis into not just a ransomware, but also a wiper, raising the stakes for both victim organizations and the wider threat landscape.
Victims identified to date span healthcare, construction, and engineering sectors in regions including Australia, Canada, Peru, and the United States.
The breadth of targeting and rapid development cycle suggest opportunism and ongoing adaptation to maximize profits and disruption.
To counteract the evolving Anubis threat, security teams are urged to adopt a layered security approach:
- Maintain regular, offline backups to defend against wiping capabilities.
- Restrict administrative privileges and employ least-privilege policies.
- Train staff in phishing recognition and social engineering defense.
- Utilize advanced endpoint detection, including behavior-based threat blocking.
- Monitor for abnormal process execution and outbound network connections.
Anubis’s RaaS-plus-wiper model signals a dangerous escalation in ransomware tactics, demanding that enterprises bolster both technical controls and organizational resilience to mitigate catastrophic data loss.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
 operation.){kind=link}