⚠️ Anubis Ransomware: The New Double-Edged Threat That Encrypts and Wipes Data

A chilling new ransomware variant has surfaced in the wild—and it’s turning up the pressure on victims like never before. Named Anubis, this ransomware doesn’t just lock your files behind an encrypted wall—it can also completely wipe them out, leaving no chance of recovery, even if the ransom is paid.

According to a recent report by researchers at Trend Micro, Anubis introduces a rare and aggressive feature: a “wipe mode” that erases file contents while keeping filenames and extensions intact. This leaves the appearance of files but with 0 KB sizes, essentially reducing entire systems to digital husks.

“The ransomware includes a wiper feature using the /WIPEMODE parameter, which can permanently delete the contents of a file, preventing any recovery attempt,” said researchers Maristel Policarpio, Sarah Pearl Camiling, and Sophia Nilette Robles.

Who’s at Risk?

Since becoming active in December 2024, Anubis has already targeted multiple industries across Australia, Canada, Peru, and the U.S.—notably healthcare, hospitality, and construction.

What’s more, Anubis operates under a Ransomware-as-a-Service (RaaS) model, which means it enables other cybercriminals (affiliates) to carry out attacks. Affiliates receive:

• 80% of the ransom payments

• 60% from data extortion profits

• 50% from access sales and monetization schemes

This profit-sharing model incentivizes wide-scale deployment and enables less skilled attackers to wreak havoc with dangerous tools.

Tactics, Techniques, and Procedures (TTPs)

The infection starts with phishing emails—a classic social engineering move. Once inside a system, the attackers:

1. Escalate privileges

2. Perform system reconnaissance

3. Delete volume shadow copies

4. Encrypt files

5. (Optionally) Wipe the data completely

This dual-action—encrypting and deleting—sets Anubis apart from conventional ransomware families.

Not to Be Confused...

Despite the name, this ransomware strain has no connection to:

• The Anubis Android banking trojan, or

• The Python-based backdoor attributed to the FIN7 (GrayAlpha) threat group.

But Speaking of FIN7...

Interestingly, the report also references FIN7’s recent activity involving the delivery of NetSupport RAT, a remote access tool. Recorded Future’s Insikt Group discovered three new FIN7 vectors:

• Fake browser update pages (MaskBat loader)

• Fraudulent 7-Zip download sites

• Malicious redirection campaigns like TAG-124 (aka 404 TDS)

These campaigns often impersonate legitimate software, further blurring the line between trustworthy and malicious content on the web.

Key Takeaway:

Anubis raises the stakes with a brutal blend of encryption and data annihilation. Organizations can no longer rely solely on backups or payment negotiations. A single lapse in phishing defenses could mean complete data loss—forever.

What You Can Do Now:

✅ Educate users on phishing red flags
✅ Implement email and endpoint detection systems
✅ Keep backups offline and immutable
✅ Monitor for unusual PowerShell or registry activity
✅ Apply zero-trust security principles

The cyber battlefield has evolved. With threats like Anubis, prevention isn’t just preferred—it’s essential.

Affiliate Disclosure:
As an Amazon Associate, I earn from qualifying purchases. This means I may receive a small commission—at no extra cost to you—if you purchase through the links below:

• Cybersecurity Fundamentals: Best Security Practices (Beginner Book)

• Ransomware Protection Playbook – 1st Edition

• Yubico YubiKey 5 NFC – Two-Factor Authentication Security Key

Thank you for supporting the content!