The emerging Anubis ransomware has become a major threat to organizations, as it can permanently delete files to prevent their recovery, Trend Micro warns.
Active since late 2024 and operating under the ransomware-as-a-service (RaaS) model, Anubis was first detailed in February this year, when threat intelligence firm Kela observed it focusing on data extortion, alongside the encryption component.
A fresh Trend Micro report, however, puts things in a different perspective: not only does Anubis encrypt victims’ data, but it also has a wiper module that destroys it.
“Trend Research has observed specific command line operations for these destructive actions, including attempts to change system settings and wipe directories,” the cybersecurity firm notes.
According to Trend Micro, Anubis, which has the same code as Sphinx, except for the function that generates the ransom note, has been promoted on cybercrime forums by two accounts, namely ‘supersonic’ and ‘Anubis__media’.
Affiliates are promised negotiable revenue-share structures for long-term cooperation, as well as access to programs beyond the typical RaaS and double extortion for monetization, namely a data ransomware affiliate and an access monetization affiliate program.
To date, the group has targeted construction, engineering, and healthcare organizations in Australia, Canada, Peru, and the United States, with seven victims listed on Anubis’ Tor-based leak site.
Anubis’ operators rely on spear phishing emails for initial access. Once in, they rely on various commands and scripts to check for administrative privileges, attempt to elevate them to System, and then proceed to file and directory discovery.
The ransomware also targets specific processes for termination, erases Volume Shadow copies, and encrypts victim’s data using Elliptic Curve Integrated Encryption Scheme (ECIES) encryption. It then drops an icon file to the Program Data folder, and attempts to change the desktop wallpaper to its own.
In the dropped ransom note, the RaaS operators threaten to release the victim’s stolen data unless a ransom is paid.
The wiper module in Anubis, Trend Micro explains, can be used to permanently delete the contents of a file, making recovery impossible.
“What further sets Anubis apart from other RaaS and lends an edge to its operations is its use of a file wiping feature, designed to sabotage recovery efforts even after encryption. This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack,” Trend Micro notes.
Related: Fog Ransomware Attack Employs Unusual Tools
Related: Are Threat Groups Belsen and ZeroSevenGroup Related?
Related: On Demand: Threat Detection & Incident Response (TDIR) Summit
Related: Sharing Intelligence Beyond CTI Teams, Across Wider Functions and Departments
