Threat Intelligence firm Kela warns of a new ransomware group called Anubis operating as a RaaS service with an extensive array of options for affiliates.
The group emerged as recently as late 2024, although the researchers believe that its members have experience in ransomware, both malware and operations. Information on Anubis comes from an analysis of the group’s dark web footprint rather than code analysis of the ransomware.
As with most ransomware groups today, Anubis uses double extortion. The researchers suggest that “Anubis appears to be an emerging threat, highlighting different business models employed by modern extortion actors.”
Kela bases its blog report on two Anubis actors that it is tracking on the dark web and on X. One, known as ‘superSonic’, advertised new affiliate programs on the RAMP cybercrime forum on February 23, 2025. These programs include Anubis Ransomware, Anubis Data Ransom, and Access Monetization.
The first option is classic ransomware, offering the affiliate 80% of the ransom achieved. The malware is written in ChaCha+ECIES, it targets Windows, Linux, NAS, and ESXi x64/x32 environments, and can be managed via a web portal.
The second (Data Ransom) provides a monetization service for data already stolen. The data provided must be exclusive to Anubis, stolen within the last six months, and ‘interesting for publication’. The revenue split here is 60% to the affiliate and 40% to Anubis.
Access Monetization pays access brokers 50% of subsequent revenue. The access must be in the US, Europe, Canada, or Australia, and the target must not have been attacked by other ransomware groups in the past year.
Anubis also operates its own blog. At the time of writing, only three victims are detailed. A fourth, currently labeled ‘New – Top Secret’ was added on February 25, 2025. Noticeably, two of the remaining three, are healthcare institutions.
The first claimed victim was Pound Road Medical Centre (PRMC), an Australian healthcare firm. PRMC issued a statement that it had suffered a “cyber incident” on November 13, 2024, and that “patient data may have been accessed and taken by an unauthorized third party.”
“However, there was no mention of ransomware, which suggests that Anubis’ current operations may focus on data extortion – or what Anubis themselves refer to as ‘Data Ransom’ – rather than traditional ransomware involving file encryption,” Kela told SecurityWeek.
Kela’s research suggests there is a new kid on the block. It also suggests that extortion based on data exfiltration alone (that is, without going to the trouble of encrypting the victims’ files) is a growing practice – and that Anubis is taking advantage of this to offer a post exfiltration extortion service.
This doesn’t mean that Anubis is ceasing the traditional RaaS encryption model. superSonic’s February 23 post provides a list of the encrypting ransomware’s capabilities. Kela has not had the opportunity to analyze any actual code caught in the wild (it’s all too new) so cannot verify whether the claims are valid. But if true, “Anubis’s operators may be experienced individuals, possibly former affiliates of other ransomware groups,” it states.
It is early days for a new threat group. But the professionalism and expertise shown in just a couple of months indicate that Anubis and its affiliates could become a significant threat to organizations over the course of 2025.
Related: Chinese APT Tools Found in Ransomware Schemes, Blurring Attribution Lines
Related: CISA, FBI Warn of China-Linked Ghost Ransomware Attacks
Related: Lee Enterprises Newspaper Disruptions Caused by Ransomware
Related: Circuit Board Maker Unimicron Targeted in Ransomware Attack
