Anubis Ransomware Becomes More Destructive With Wiper Addition
The Anubis ransomware operation, which emerged in December 2024, represents a chilling evolution in cyber extortion techniques. Unlike conventional ransomware, which encrypts files for ransom, Anubis enhances its menace with a destructive "wipe mode" feature. This dual functionality blurs the line between extortion and sabotage, significantly increasing the pressure on victims to comply.
Anubis first appeared on cybercrime forums under the aliases "supersonic" on RAMP and "Anubis__media" on XSS. Initial developer activity began under the name "Sphinx," with an early variant lacking operational features like a TOR site or unique ID in its ransom note. Subsequent comparison showed that Sphinx and Anubis shared almost identical code, differing only in branding—signaling a deliberate rebranding after operational testing.
The last time this publication covered Anubis was when the malware's admins were looking to change the traditional approach to the affiliate business model. Operating on a ransomware-as-a-service (RaaS) model, Anubis empowers affiliates who distribute and deploy the malware. The developers advertise flexible revenue-sharing agreements: up to 80% of ransom proceeds go to affiliates, while additional monetization methods, such as data extortion and selling access, offer 60/40 and 50/50 splits, respectively. This expansive affiliate program, unveiled in February 2025, illustrates Anubis's aggressive push into multiple revenue streams.
Anubis's flexible model has led to a varied victim pool. Trend Micro reports at least seven disclosed victims spanning healthcare, engineering, construction, and hospitality industries. These incidents appeared across several countries, including Australia, Canada, Peru, and the United States, indicating a global yet opportunistic targeting approach.
Such an approach led Anubis to swiftly emerge as a resilient and professional ransomware operation in early 2025. Its blend of encryption, destructive wipe capabilities, flexible affiliate revenue models, and global victim selection make it a significant threat. Defenders should urgently review their backup, detection, and response strategies to prepare for this evolving menace.
Wipe Mode: Ransomware's New Destructive Twist
Anubis leverages weaponized spear-phishing campaigns to gain initial access to victim IT infrastructure. Once executed, the malware checks for administrator privileges by attempting to access physical drive paths (e.g., \\.\PHYSICALDRIVE0). If elevated access is absent, it requests the user to grant it or escalates using built-in privilege elevation routines.
After confirming elevated permissions, Anubis kills defensive processes, deletes Volume Shadow Copies to eliminate backup recovery, and initiates encryption routines utilizing the ECIES (Elliptic Curve Integrated Encryption Scheme). It appends the ".anubis" extension to locked files, drops HTML ransom notes, and (in some cases) attempts to alter the victim's desktop wallpaper.
The defining innovation is Anubis's wipe mode (/WIPEMODE), a rare feature among ransomware families. When activated via the command line, it zeroes out file contents. Leaving filenames intact effectively renders recovery impossible, even if decryption tools are later provided. These malicious actions include wiping entire directories and manipulating system settings to ensure cleanup.
Some expert opinions suggest this feature gives affiliates both financial and destructive flexibility. Jon Clay from Trend Micro notes that wipe mode adds urgency to ransom negotiations. Dark Reading also speculates that the feature might appeal to affiliates with nation-state or hacktivist motivations, providing destructive options beyond typical financial gain.
Anubis illustrates the next phase of ransomware evolution, namely melding traditional extortion with destructive sabotage. Through its affiliate model and wipe feature, it not only amplifies pressure on victims but also signals readiness for financially motivated or ideologically driven attacks. As such, Anubis demands an urgent reassessment of organizational resilience strategies, focusing on prevention, detection, and comprehensive recovery planning.
Anubis's emergence in 2025 highlights how agile and lucrative modern cybercrime operations have become. Organizations must confront the risk of encryption and the stark possibility that even ransom payments may not restore destroyed data. Vigilance, defense depth, and robust backups are no longer optional; they are essential for digital survival.
Anubis's potent combination of encryption and wiping forces defenders to revisit existing safeguards. TrendMicro further suggests defenders should employ the following mitigation measures:
Email and web safety: Exercise caution with email and web practices. Avoid downloading attachments, clicking links, or installing applications unless the source is verified and trusted. Implement web filtering to restrict access to known malicious websites. This should help avoid the initial entry of similar threats.
Data backup: Regularly back up critical data and implement a robust recovery plan. This includes maintaining offline and immutable backups to ensure file recovery, even if files are encrypted or wiped.
Access control: Limit administrative rights and access privileges to employees only when necessary. Regularly review and adjust permissions to minimize the risk of unauthorized access.
Regular updates and scanning: Ensure all security software is updated regularly and conduct periodic scans to identify vulnerabilities. Use endpoint security solutions to detect and block malicious components and suspicious behavior.
User education: Conduct regular training sessions for employees on recognizing social engineering tactics and the dangers of phishing. This awareness can significantly reduce the likelihood of falling victim to such attacks.
Multilayered security approach: Adopt a multilayered defense strategy that includes endpoint, email, web, and network security. This approach will help protect against potential entry points into the system and enhance overall threat detection capabilities.
Sandboxing and application control: Use sandboxing tools to analyze files before execution, ensuring any suspicious files are scanned for potential threats. Enforce application control policies to prevent the execution of unauthorized applications and scripts.
Monitoring for abnormal activity: Implement security information and event management (SIEM) tools to monitor for unusual script executions and outbound connections. This proactive monitoring can help identify and mitigate threats before they escalate.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion