Ransomware continues its relentless rise in 2025, with data from Bitsight’s “State of the Underground 2025” report highlighting a near 25% increase in unique ransomware victims publicly listed on leak sites.
The expanding threat landscape is exemplified by the proliferation of ransomware group-operated leak sites, which surged by 53% over the last year, reinforcing the role of ransomware as a preferred tool for financially motivated cybercriminals.
Against this backdrop, the Anubis ransomware group has rapidly established itself as a significant and sophisticated actor since its emergence in November 2024.
While security teams have yet to conclusively attribute the group to any specific country, researchers have found them communicating in Russian on dark web forums.
Anubis has primarily targeted organizations in high-value sectors such as healthcare, construction, and professional services, with confirmed attacks spanning the United States, France, Australia, and Peru.
Affiliate Business Models
Anubis distinguishes itself not only through its aggressive targeting but also via a distinctive affiliate payment scheme. In the standard “Ransomware-as-a-Service” model, affiliates retain 80% of victim payments, while Anubis collects 20% for providing the malware and backend infrastructure.
If affiliates also steal data for added extortion leverage, Anubis increases its cut to 40%. In cases where group operators directly assist in post-compromise negotiations, the profits are split evenly.
This flexible approach has enabled rapid expansion, drawing a range of threat actors into the Anubis ecosystem. More recently, Anubis operators have incorporated a destructive “wipe mode” into their toolkit.
In certain attacks, victims reported the permanent deletion of data even when ransom payments were made either as an intimidation tactic or as retribution for delayed negotiation.
This combination of advanced monetization strategies, technical sophistication, and high-impact targeting has fast-tracked Anubis’s notoriety among both cybercriminals and the cybersecurity community.
Multi-Platform Threats
Anubis has developed advanced capabilities to ensure effectiveness across multiple operating systems.
On the Windows platform, it employs sophisticated initial-access techniques, primarily gaining entry through spear-phishing emails with malicious attachments or links designed to appear trustworthy.
Following execution, the malware attempts to escalate privileges, delete volume shadow copies to prevent file recovery, disable targeted system services to maximize disruption, and, ultimately, encrypt victim files using Elliptic Curve Integrated Encryption Scheme (ECIES).
Selectively, it avoids core system directories to maintain system stability, likely to preserve control over affected machines. Meanwhile, the threat of destructive file wiping increases the stakes for would-be victims.
On Android devices, Anubis pivots to banking trojan tactics: it leverages phishing overlays to harvest login credentials, engages in screen recording and keylogging for further data theft, and propagates via SMS to other potential victims.
The malware also locks infected devices and displays ransom notes, increasing pressure on users to pay, and, in some cases, exfiltrates sensitive files to attacker-controlled servers.
According to the report, Anubis’s threat became apparent during a high-profile attack in November 2024 on a healthcare provider in Victoria, Australia.
The incident, which led to the exfiltration and public leakage of sensitive patient data including names, contact details, health information, and Medicare records underscored the group’s willingness to cripple critical infrastructure for maximum leverage.
In a follow-up attack in December 2024, Anubis struck a Canadian healthcare organization, again leaking stolen data on its dark web portal.
These incidents, along with others across several continents, highlight not only the technical prowess but also the calculated targeting strategy of Anubis.
The ransomware’s evolution combining fast-moving affiliate activity, sophisticated technical operations, and the credible threat of irreversible data loss cements its place as one of the most dangerous and unpredictable cybercriminal threats facing organizations worldwide this year.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
