Anubis, a newly identified ransomware strain, has emerged with alarming capabilities, allowing it to not only encrypt victims’ files but also permanently erase them, described as a “rare dual-threat” by cybersecurity experts. According to Trend Micro researchers, the ransomware features a ‘wipe mode’ that erases files without a trace, making recovery impossible even after ransom payment.
The ransomware-as-a-service (RaaS) operation, which became active in December 2024, has made its presence felt across various sectors, including healthcare, hospitality, and construction in countries such as Australia, Canada, Peru, and the United States. Initially known as Sphinx, this ransomware strain was rebranded ahead of its final release, indicating a thoughtful approach to its deployment.
Contrary to some existing threats, Anubis has no direct connections to specific Android banking trojans or backdoors of the same name, which are attributed to the financially motivated group FIN7. Anubis operates through a flexible affiliate program, offering high revenue splits that incentivize cybercriminals to engage with this evolving threat.
The malware utilizes phishing emails to gain initial access, allowing attackers to elevate privileges before deploying ransomware capabilities that include deleting volume shadow copies and encrypting files. This method creates a situation where files can be rendered useless, as their sizes are effectively reduced to 0 KB while their names remain, complicating recovery efforts.
Experts note that the incorporation of a wiper feature significantly escalates the risk to victims, as the psychological pressure mounts to comply with ransom demands. Anubis’s destructive capabilities have prompted discussions on emerging threats within the realm of cybersafety, particularly in light of recent findings related to the infrastructure of the FIN7 group.
Recent intelligence insights from Recorded Future highlight multiple misleading distribution vectors that have delivered Anubis, such as bogus browser updates and fraudulent software download pages. This enhanced awareness is crucial as cybersecurity efforts ramp up to combat the evolving landscape of ransomware.