Listen to this Post
Introduction: A New Breed of Ransomware Is Here
The ransomware landscape has long been plagued by malicious actors encrypting victims’ files in exchange for payments. But now, a more destructive force has entered the game. Named after the Egyptian god of death, Anubis is not just another ransomware-as-a-service (RaaS). It’s a hybrid threat that brings together traditional file encryption and a rare, devastating twistâa wiper mode that irreversibly erases data, even if victims pay the ransom. Launched in late 2024 and fully operational by 2025, Anubis has already targeted organizations across industries, exploiting both technology and psychology to pressure victims into submission. This article dissects Anubisâs tactics, impact, and implications for cybersecurity moving forward.
Anubis RaaS: Threat and Evolution
Anubis is a next-generation ransomware-as-a-service (RaaS) operation that distinguishes itself by offering both data encryption and a unique “wipe mode”âa capability that permanently deletes files, rendering data recovery impossible, even post-payment. First surfacing in December 2024, Anubis evolved from an earlier strain known as Sphinx, which shared much of the same code but lacked full extortion mechanics. The malware was rebranded and began appearing on cybercrime forums like RAMP and XSS in early 2025.
What makes Anubis particularly dangerous is its multi-layered extortion model. It leverages standard ransomware methodsâspreading via phishing emails, escalating privileges, avoiding detection, and encrypting user filesâbut escalates the threat by threatening to leak stolen data and erase it permanently using its wiper functionality. This combination of double extortion and permanent data loss amplifies the psychological pressure on victims.
Anubis encrypts files using the Elliptic Curve Integrated Encryption Scheme (ECIES), similar to the encryption approach used by other advanced malware like EvilByte and Prince ransomware. It applies the â.anubisâ file extension and alters file icons to display the groupâs branding. It even attempts to set a custom desktop wallpaper as part of its intimidation tactics.
The ransomware is intelligent in its approachâit avoids critical system directories, deletes Volume Shadow Copies to prevent rollback, and halts interfering processes. The so-called âwiper modeâ wipes contents while leaving file names intact at 0 KB, creating a façade of recoverable data while ensuring its destruction.
Anubisâs flexible affiliate program attracts cybercriminal partners by offering diverse monetization methods: direct ransom, data theft for black market resale, and access brokering. According to Trend Micro, this makes it an âevolving and flexible RaaS operationâ with far-reaching implications.
What Undercode Say:
Anubis is a chilling example of how ransomware threats are becoming increasingly destructive and sophisticated. While older ransomware strains were content with encryption and simple extortion, Anubis takes a scorched-earth approach. Its âwiper modeâ is essentially a digital death sentence for organizations that fail to complyâand even some that do.
This approach reflects a strategic shift in the cybercriminal world: monetization isnât just about ransom anymore, but about maximizing pressure points. The addition of file destruction, resale of stolen data, and access monetization reflects an understanding of the corporate risk calculus. If a victim knows theyâll lose everything regardless of payment, they’re more likely to caveâand fast.
The ECIES encryption and the similarity to EvilByte suggest that Anubisâs developers are borrowing and refining proven tools rather than reinventing the wheel. This makes detection and prevention more difficult for security teams, especially as affiliates rapidly adopt and spread the tool through phishing and credential-based attacks.
From a technical standpoint, Anubis is built for endurance and stealth. It avoids detection by excluding system-critical directories and deploying multiple evasion layers. It also showcases a clear understanding of endpoint security blind spots, particularly through its ability to delete shadow copies and stop processes that might interfere with encryption.
Furthermore, the affiliate structure presents scalability concerns. With an open RaaS model, Anubis can infect a wide array of sectorsâincluding healthcare and constructionâwithout the original developers needing to engage directly. This decentralization makes attribution harder and neutralization slower.
Organizations need to respond to this kind of threat not just with backup strategies, but with proactive defense measures: advanced threat detection, real-time behavioral monitoring, privilege access management, and user awareness training to reduce phishing success rates.
In summary, Anubis is not merely a ransomwareâitâs a weapon of digital sabotage with economic intent. It’s designed to not only extract money but also inflict maximum damage, erode trust, and make recovery virtually impossible. This new era of ransomware demands a paradigm shift in how we think about cybersecurityâfocusing more on resilience, speed, and layered responses.
đ Fact Checker Results:
â
Anubis evolved from the Sphinx malware family, with similar code structure.
â
Anubis uses ECIES encryption, consistent with its classification as high-sophistication ransomware.
â
Wiper mode effectively zeroes file content, making recovery impossible even if names remain.
đ Prediction:
With the growth of Anubis and its affiliate model, 2025 is likely to see a surge in RaaS operations combining traditional encryption with destructive features. Expect to see copycat groups mimicking the wiper model, especially as cybercriminals realize the psychological leverage it creates. Also, enterprises may begin prioritizing immutable backups and decentralized storage models as part of their disaster recovery plans.
Cybercriminal ecosystems like RAMP and XSS will increasingly become marketplaces for hybrid threats, and tools like Anubis may soon integrate AI-driven decision engines for target selection and dynamic ransom settingâmaking them even more efficient and dangerous.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
