Wipe, leak, extort: The crazy hybrid playbook of Anubis ransomware

Anubis is a ransomware-as-a-service (RaaS) operation that emerged in December 2024, and quickly distinguished itself by integrating file-wiping capabilities alongside the traditional encryption and data exfiltration. The group operates multiple affiliate programs with revenue splits ranging from 50% to 80%, and targets multiple sectors in several countries, including Australia, Canada, Peru and the United States.

Anubis’ origin story

Anubis is thought to have started its current life under the codename "Sphinx," which was originally observed in late 2024. Samples of Sphinx ransomware were found to have ransom notes that lacked both a TOR site and unique ID, suggesting that either the malware was in development or the operators were new and inexperienced. 

Around the same time, researchers noticed that a threat actor called Anubis created an X (formerly Twitter) account, and Anubis-branded ransomware was observed soon after. When Sphinx and Anubis samples were compared, researchers found the malware binaries almost identical. 

Who is Anubis?

Let’s start this section with who Anubis is not. There are two other threats named Anubis. One is an Android banking trojan first observed in 2016. The second is part of a toolkit used by the FIN7 group, also known as the Carbanak Group. This is a custom tool used for command and control (C2) and data exfiltration. This toolset was first observed in 2020.

It's also a good time to note that the pre-Anubis Sphinx ransomware is not the BlackCat ransomware variant named ‘Sphynx.’

With that out of the way, let’s look at what we know about the Anubis RaaS group. We’ll start with two Anubis operatives who have posted on two Russian cybercrime forums. The user ‘supersonic’ has posted on the RAMP forum to advertise the RaaS and recruit affiliates. User ‘Anubis_Media’ similarly posts on the XSS forum. Since forum communications are normally conducted in Russian, researchers believe Anubis operators are based in Russia or other Commonwealth of Independent States (CIS) countries. There are more factors to support this theory:

• Activities like ransomware negotiations, leak site updates and hands-on attack activities appear to take place primarily during the common working hours in the Moscow Standard Time (MSK) time zone.
• Anubis ransomware binaries and ransom note include Russian language strings and occasional Russian characters left in the code.
• Anubis prohibits attacks on former Soviet states and specifically requests initial access to western countries.

Security analysts also suspect that Anubis operators are experienced as operators or affiliates with other ransomware groups.

Business model and monetization

On February 23, 2025, the group advertised a "new format" of affiliate programs on the RAMP forum, with all revenue-share structures open to negotiation. This new format included three distinct monetization channels:

• Traditional RaaS program: Like most ransomware-as-a-service programs, affiliates use Anubis infrastructure and other resources to attack targets. Anubis takes 20% of the ransom proceeds and the remaining 80% goes to the affiliate.
• Data extortion program: This scheme is for criminals who want assistance monetizing data that has already been stolen. This program allows affiliates to provide Anubis with data that the group will then use to extort the victim. Anubis requires affiliates to provide data that is no older than six months and hasn’t been published anywhere else. It also must be sensitive or interesting enough to leverage for publication. Affiliates receive 60% of whatever Anubis collects
• Access monetization: Initial access brokers (IABs) receive a 50% share of attack proceeds on corporate network access credentials. Affiliates can monitor any resulting attacks in real-time through live attack updates provided by Anubis.  

This diversified approach allows Anubis to expand its victim list, attract new affiliates, and generate revenue from multiple sources. It also reduces the dependence on traditional ransomware encryption tactics. This business model suggests experience managing affiliates and multiple types of extortion.

Anubis technical capabilities and attack chain

Anubis uses Elliptic Curve Integrated Encryption Scheme (ECIES) for file encryption. ECIES is more advanced than average cryptographic schemes because of its hybrid nature, reliance on elliptic curves, and integration of multiple security layers. This encryption method is fast and lightweight, and nearly impossible to decrypt without a key.

One of the most-discussed characteristics of Anubis ransomware is its file destruction capability. This wiper function is activated using a command-line parameter configured prior to the attack. When activated, files are destroyed rather than encrypted. This is unusual because most ransomware operations depend on collecting payment for a decryption key.

Anubis attack chain

Anubis ransomware follows a typical attack chain, though it sometimes includes the file-wiping functionality.

Initial access is frequently gained through carefully crafted spear phishing email campaigns that make use of malicious links and attachments. Anubis operators control an extensive phishing infrastructure that maximizes infection rates, evades detection and supports their RaaS affiliates. The Anubis RaaS model also allows affiliates to use their own phishing toolkits.

Anubis ransomware is also deployed through remote desktop protocol (RDP) systems via exploit, brute force attacks and credential stuffing. It has also been observed entering systems through fake software updates and legitimate software installers that have been infected with malware. The Anubis operators offer affiliates the toolkits, credential databases and malware distribution infrastructure to support all these tactics.

Payload deployment marks the transition from initial access to active execution of the ransomware. It may be triggered when a user interacts with a malicious attachment, or it can be automatically triggered if initial access occurs through an exploit or credential attack. The Anubis binary then parses the command-line parameters that control which files are targeted and whether to use the wiper or standard encryption. There’s much more to it, but these tasks establish the scope of the attack.

Privilege escalation begins with an attempt to \\.\PHYSICALDRIVE0, which is a raw device path that requires administrative privileges. This path is used because it helps attackers evade detection. Since the raw device path is not a valid Windows file path, the operating system does not respond with Windows API calls or User Account Control (UAC) prompts.

If administrator access is detected, the ransomware will then attempt to escalate privileges further. If not, the binary can either attempt to escalate privileges or operate in a limited mode. This conditional logic allows it to adapt to different environments during an attack.

Discovery or target identification begins with file system reconnaissance. Anubis creates an inventory of potentially valuable documents, images, database files, and compressed file archives. The malware will exclude System32 and other critical system and application directories that might trigger system errors or call attention to the attack.

Defense evasion uses a set of scripts and tools to disable or otherwise bypass security mechanisms like antivirus, monitoring tools, etc. Backup processes are interrupted and all shadow copies across all volumes are removed. This stage is all about Anubis protecting the attack sequence from detection and disruption.

It’s important to note that although these attack chains are conceptualized as a sequential series of related tasks, the stages of a modern attack are not that well defined. Any malware that is modular and capable of automation and conditional attack flows can execute multiple functions at the same time. This is frequently the case with stages like data exfiltration, privilege escalation, defense evasion and reconnaissance. For example, a ransomware attack might carry out target identification and exfiltration while also attempting to escalate privileges and disable defenses. It’s not unusual to see overlapping or concurrent stages in an attack chain.

Data exfiltration starts when Anubis moves targeted files into temporary directories where they are staged for exfiltration. These files may be compressed before being transferred via ftp protocols or cloud storage APIs. This data is usually transferred over encrypted channels.

Encryption or data wiping occurs in the destructive stage of the attack. Assuming the attack proceeds with encryption, Anubis will read and then encrypt file contents and rename encrypted files with the .anubis file extension.   

If the /WIPEMODE parameter is enabled, Anubis will overwrite rather than encrypt the contents of the targeted files. This process will leave filenames intact but reduce the size to zero bytes. 

Anubis will also attempt to change wallpaper and file system icons to represent Anubis branding.

Many analysts and journalists have questioned the strategic purpose of the file wiper. If the victim’s files are overwritten, there’s no reason for the victim to pay a ransom for decryption. If the threat actor wants to collect a ransom, though, he can still do so in exchange for the data that was stolen. He can also demand a ransom for not leaking the data to a third party.

The wiper function is potentially useful if the threat actor doesn’t want a ransom from the victim. If we assume that Anubis operators want to earn revenue from every attack, then affiliates might offer some kind of monetization scheme using the stolen data. This might work for sensitive research and other intellectual property (IP). For example, an affiliate might steal the data, destroy the source, and then use the Anubis data affiliate infrastructure to sell the data to the highest bidder. This is all speculation, though, and there are no publicly available reports of this type of activity linked to Anubis.

The ransom note completes the attack chain. Anubis typically leaves a file called “RESTORE FILES.html” in every affected directory.  The note includes contact information, payment instructions, deadlines, and additional threats like the publication or sale of the victim’s data. 

Victims and insights

Anubis is difficult to profile because the group only has nine known victims, and there are conflicting reports and conclusions on the origins and timeline of activity. However, we can attempt to draw some insights from what we know about the victims and the stolen data:

Let’s first look for some victim patterns. Anubis seems to focus on organizations with access to proprietary, confidential, or high-risk data. Each of the victims holds either blueprints or facility schematics, medical or personal data, or contracts and internal reports. Some of these internal reports include compliance violations and reports of abuse or other potentially embarrassing information.  

There are several types of risk represented in this stolen data. Blueprints and schematics can be used to sabotage sensitive equipment or create strategic physical threats to a public venue. Data stolen from First Defense Fire Protection includes safety system schematics, building layouts and other sensitive security information. Disneyland data includes blueprints and thousands of ‘behind the scenes’ photos showing employees, facilities and equipment. 

There are also thousands of documents with medical and financial information, disciplinary records, vendor contracts, compliance documentation, and more. Some victims will pay to keep that data from leaking to the public. If victims do not pay, Anubis can easily sell the data to competitors and other third parties.

This victim information may suggest:

High-value, high-impact targets: Anubis operatives and affiliates are intentional in their targeting. They target victims with operationally sensitive data that can be used for extortion, resale or strategic advantage.

Data-centric extortion: Stolen data consistently includes blueprints, schematics, medical data, security layouts, infrastructure details, contracts, financial documents, and incident reports. Anubis places greater value on data exfiltration and publication threats, rather than traditional encryption-based ransom.

Mixed motivations: Anubis may be motivated by espionage or company sabotage. The type of data stolen can serve interests other than direct extortion. These other interests could be the reasons behind the attacks.

Aggressive data leaks: Anubis operators leak data quickly. Once a victim is listed on the Anubis leak site, the countdown to full data publication begins.

Specific data interests: Anubis has a specific interest in blueprints, infrastructure, and other confidential building plans. The group may be crafting a specialty in the theft of information that has both strategic and criminal resale value.

Analysts need more information before making any conclusions on Anubis’ motivations and plans. There isn’t enough known data to establish patterns or motivations significant to the group. It’s interesting to think about, but hopefully Anubis will fade away and not give us any further data to consider.  

Protect yourself

To protect your organization from Anubis ransomware, prioritize a defense-in-depth strategy that includes network segmentation, least privilege access controls, and robust data backups. Ensure that sensitive architectural, medical, or operational data is stored securely with proper encryption at rest and in transit. Implement strict access controls so that only authorized personnel can view or modify confidential files such as blueprints or patient records. Regularly update and patch all software, especially public-facing systems, to reduce the risk of exploitation. In addition, deploy a solution like Barracuda Managed XDR that can identify suspicious behaviors such as lateral movement or unauthorized data access. This will help stop threats like Anubis during the pre-encryption phase.

It’s also important to train employees to recognize phishing attempts. Anubis affiliates and many other unrelated threat actors use phishing and social engineering to compromise networks. Implement multifactor authentication (MFA) on all critical systems, especially for remote access, administrative accounts and VPNs. To defend against data extortion specifically, encrypt sensitive files proactively and maintain immutable, air-gapped backups that are tested regularly for recovery. Finally, monitor the dark web and ransomware forums for early indicators of threat activity related to your sector, and have a well-practiced incident response plan in place to react quickly if you become a target. It may be helpful to contact a consultant or managed service provider to assist you with your security deployments.

Barracuda can help

BarracudaONE is a complete AI-powered cybersecurity platform that maximizes your protection and cyber resilience by unifying your cybersecurity solutions in a centralized dashboard. This comprehensive solution protects your email, data, applications, and networks, and is strengthened by a 24/7 managed XDR service. Visit our website to schedule a demo and see how it works.