Anubis Ransomware: Wiping Files

Summary

Anubis ransomware has added a file-wiping capability to its arsenal, escalating the threat beyond data encryption and extortion. This destructive feature permanently deletes file contents, making recovery impossible even if the ransom is paid. The move signals a shift in ransomware tactics, increasing pressure on victims while potentially undermining the traditional ransomware business model.

Explore the data solution with built-in protection against ransomware TrueNAS.

** Main Story**

Anubis ransomware, first identified in December 2024, has rapidly gained notoriety in the cybersecurity landscape. Initially observed as a relatively new Ransomware-as-a-Service (RaaS), Anubis quickly expanded its operations through an affiliate program launched in February 2025. This program offered generous revenue splits to affiliates, incentivizing wider distribution of the malware and accelerating its impact across various sectors. Recent analysis by security researchers at Trend Micro has uncovered a disturbing development: the integration of a file-wiping module within Anubis. This new feature adds a destructive layer to Anubis’s attacks, going beyond the typical encryption and extortion tactics.

A Destructive Escalation: The Wiper Function

The wiper function, activated through a specific command-line parameter, overwrites file contents with zero-byte data. While filenames and directory structures remain intact, the actual data is irretrievably lost. This functionality effectively sabotages recovery attempts, even if victims pay the ransom. Security researchers believe this tactic aims to increase pressure on victims, compelling quicker payments and deterring negotiation attempts. Some experts, however, question the efficacy of this approach, arguing that it contradicts the fundamental ransomware business model, which relies on the promise of data recovery in exchange for payment. The wiper’s addition suggests a possible shift in ransomware strategies, from data recovery as a service to pure extortion through the threat of permanent data loss.

Modus Operandi: From Phishing to Extortion

Anubis’s attack chain typically begins with spear-phishing emails containing malicious attachments or links. These emails often impersonate trusted sources, deceiving recipients into opening malicious files or clicking on compromised links. Once inside a system, Anubis escalates privileges, disables security tools, and deletes shadow copies to hinder recovery efforts. It then encrypts files, adding the “.anubis” extension, and leaves a ransom note with instructions for payment, typically demanding cryptocurrency. In addition to file encryption, Anubis employs double extortion tactics, exfiltrating sensitive data before encryption. The attackers then threaten to publish this stolen data unless the ransom is paid, adding another layer of pressure on victims. This stolen data is sometimes analyzed by the group, potentially using AI tools, and the hackers offer a summary of the stolen data to the victim, to increase the pressure to pay up.

Combating the Threat: Proactive Defense is Key

The emergence of Anubis, with its wiper capability and aggressive tactics, underscores the evolving nature of ransomware threats. Organizations must adopt proactive defense strategies to mitigate this escalating risk. Essential security measures include:

• Robust Email and Web Security: Implement advanced filtering solutions to block malicious emails and websites. Educate employees about phishing tactics and the importance of verifying email senders and website authenticity.
• Vulnerability Management: Regularly patch systems and applications to address known vulnerabilities. This reduces the attack surface and minimizes the risk of exploitation.
• Principle of Least Privilege: Enforce the principle of least privilege, restricting user access to only the resources necessary for their job functions. This limits the potential damage from compromised accounts.
• Data Backups: Maintain regular offline and immutable backups of critical data. This ensures data recoverability in the event of ransomware attacks, even those involving data wiping.
• Incident Response Plan: Develop and regularly test an incident response plan to effectively manage ransomware attacks. This plan should include procedures for containment, eradication, recovery, and communication.

Anubis’s evolution from a relatively new RaaS to a sophisticated and destructive threat demonstrates the dynamic nature of the cybercrime landscape. By understanding its tactics and implementing robust security measures, organizations can better protect themselves against this evolving threat and mitigate the risk of permanent data loss. As of today, June 20, 2025, these are the latest known tactics of this evolving threat.