Do Son 
Operators of the Anubis ransomware have introduced a destructive mode into their malware that does not merely encrypt files but irrevocably destroys them. This function eliminates any possibility of data recovery—even in the event of ransom payment—as the file contents are wiped, leaving only empty shells while preserving the original directory structure and filenames.
Anubis is a relatively new player in the Ransomware-as-a-Service (RaaS) landscape, unrelated to the Android malware of the same name. First observed in December 2024, the group’s activities intensified in early 2025. On February 23, the group announced the launch of its affiliate program on the underground forum RAMP, offering revenue shares to black market collaborators: 80% for direct ransomware distributors, 60% for extortion specialists, and 50% for initial access brokers.
As of now, the group’s leak site on the dark web lists only eight victims, suggesting that this phase serves as a technical testbed ahead of a broader deployment—during which the malware’s capabilities are being refined.
A recent report from Trend Micro confirmed that Anubis has adopted capabilities beyond conventional encryption. In the latest samples, researchers discovered a specialized file-wiping mode that can be activated via a command-line parameter: /WIPEMODE. This feature requires authentication with a key, ensuring that it does not run automatically but only under direct operator control.
When this mode is enabled, the ransomware erases the contents of every detected file, reducing them to zero bytes. While filenames and directory hierarchies remain intact, the files themselves are rendered empty. Visually, the victim still sees their files in place, but no recovery—whether through decryption or third-party tools—is possible. This makes the attack irreversibly destructive, even if the ransom is paid.
Analysts interpret this feature as a psychological weapon: where previously victims could delay or ignore demands, the new mode introduces the very real threat of complete data annihilation, adding weight to the extortion attempt.
The malware also supports various launch-time parameters, including privilege escalation, specification of target paths, and exclusion of certain directories. System and application folders are typically excluded by default to preserve operating system functionality.
Anubis also removes Volume Shadow Copies, terminates processes, and disables services that could obstruct encryption. These measures help prevent automated data recovery using native Windows mechanisms.
The ransomware itself is built upon the ECIES cryptographic scheme, which employs elliptic curve encryption. Analysis reveals strong architectural similarities between Anubis and previously observed strains such as EvilByte and Prince, suggesting possible code reuse or collaboration among developers.
Upon completing its encryption routine, Anubis appends the .anubis extension to affected files. A ransom note in HTML format is dropped into each compromised folder. The malware also attempts to change the victim’s desktop wallpaper as a visual alert, although this functionality appears unstable in its current implementation and often fails.
Anubis attacks typically begin with phishing emails containing malicious attachments or links. Once the target opens the attachment or follows the link, the primary payload is deployed, which activates the encryption and data-wiping modules.
Trend Micro has published a set of Indicators of Compromise (IoCs) associated with Anubis, including signatures, hashes, domains, and network artifacts, which can assist in identifying the group’s activity within affected infrastructures.
Though the group’s current operational scale appears limited, the rapid evolution of its technical capabilities suggests that a broader campaign may be imminent.
Donate