A new ransomware collective dubbed Anubis has rapidly emerged as a sophisticated threat actor, combining ransomware-as-a-service (RaaS) operations with data extortion and access monetization strategies.
Active since at least November 2024, the group targets critical sectors like healthcare and construction while employing Russian-language communications across dark web forums.
Security analysts at KELA highlight Anubis’ hybrid business model, which includes three distinct affiliate programs offering revenue shares between 50% and 80%.
Their operations, marked by detailed victim profiling and aggressive public shaming campaigns, underscore evolving cybercriminal methodologies in 2025.
Anubis’ Hybrid Monetization Model: Ransomware, Data Extortion, and Access Brokerage
The group distinguishes itself through a triad of monetization strategies designed to attract affiliates with varying specialties.
Their Ransomware-as-a-Service (RaaS) program promises affiliates 80% of ransom proceeds, deploying malware written in ChaCha+ECIES that targets Windows, Linux, NAS, and ESXi systems.
The ransomware self-propagates across domains, escalates privileges to NT AUTHORITY\SYSTEM, and is managed via a centralized web panel1.
For hackers holding stolen data, Anubis offers a Data Ransom program, retaining 40% of extortion revenue.
To qualify, data must be exclusive, less than six months old, and deemed “interesting for publication.”
The group amplifies pressure by drafting investigative articles based on leaked data, privately sharing them with victims, and threatening to notify regulatory bodies like GDPR and HHS.
Notably, Anubis leaks partial datasets publicly to incentivize payment, as seen in the Summit Home Health breach, where 7,300 medical records were dangled as free downloads on XSS forums.
A third Access Monetization program splits profits 50/50 with brokers providing corporate network access.
Targets must operate in the U.S., Europe, Canada, or Australia and lack recent ransomware incidents.
Anubis excludes educational, governmental, and non-profit sectors, focusing instead on deep forensic analysis of victims to identify extortion leverage points.
Affiliates receive real-time CryptPad reports documenting attack progression.
Healthcare and Construction Sectors Bear Early Brunt of Attacks
Anubis has already claimed four victims, prioritizing healthcare providers and engineering firms. Pound Road Medical Centre, an Australian clinic, suffered a November 2024 breach exposing patient health data, Medicare details, and contact information.
The group later leaked samples on XSS while negotiating privately with the clinic.
Summit Home Health, a Canadian care provider, faced identical tactics in December 2024, with Anubis publishing client records after failed negotiations.
Peruvian engineering firm Comercializadora S&E and an unnamed U.S. construction company were also targeted.
Anubis’ playbook involves:
- Gaining initial access (often via affiliates)
- Drafting investigative articles from stolen data
- Hosting leaked files on password-protected blog pages
- Threatening public release and regulatory reporting
Victims receive negotiation links via phone calls, with leaks escalating to full public exposure if payments stall.
This dual-pronged approach—combining encryption with reputational damage—reflects trends observed in groups like LockBit and ALPHV.
Technical Sophistication and Operational Security Suggest Experienced Operators
Analysts speculate Anubis’ core members are former affiliates of established ransomware gangs, citing their polished dark web blog, multilingual outreach (Russian forums vs. English X posts), and ransomware technical specs.
The group’s emphasis on avoiding recently compromised entities and eschewing low-value sectors hints at strategic target selection.
While their ransomware’s self-propagation claims remain unverified, the focus on ESxi systems aligns with 2025’s surge in hypervisor-targeting campaigns.
Anubis further complicates mitigation efforts by threatening GDPR penalties—a tactic that pressures EU-based victims to pay ransoms discreetly.
According to the Report, KELA warns that Anubis’ recruitment of affiliates across access brokerage, data theft, and ransomware deployment could accelerate attack volumes in 2025.
With two healthcare breaches already public, critical infrastructure operators are urged to audit remote access protocols and segment sensitive data.
As ransomware collectives increasingly diversify revenue streams, Anubis exemplifies the blurred lines between data extortionists, access brokers, and traditional RaaS operators.
Their tailored affiliate programs and cross-platform intimidation tactics mark a concerning evolution in cybercrime’s industrialization.
