Listen to this Post
A newly emerged ransomware group, Anubis, is making waves in the cybercrime world with its hybrid monetization model that blends Ransomware-as-a-Service (RaaS), data extortion, and access brokerage. Active since at least November 2024, Anubis is primarily targeting healthcare and construction sectors, leveraging Russian-language forums to recruit affiliates and expand its operations.
Anubis is not just another ransomware gang—it represents an evolution in cybercrime by offering specialized affiliate programs that cater to hackers, data thieves, and access brokers. Their public shaming tactics, advanced malware deployment, and deep victim profiling set them apart from traditional ransomware groups.
With sophisticated encryption techniques and a multi-layered extortion approach, Anubis exemplifies the new wave of ransomware threats in 2025. Security analysts warn that their rapid expansion and aggressive recruitment strategies could significantly increase attack volumes in the coming months.
Anubis: A New Breed of Cyber Threat
1. Hybrid Monetization Model: More Than Just Ransomware
Anubis operates a three-pronged monetization strategy:
- Ransomware-as-a-Service (RaaS) – Affiliates get 80% of ransom payments using malware designed for Windows, Linux, NAS, and ESXi systems.
- Data Ransom Program – Hackers selling stolen data receive 60% of extortion revenue, with Anubis pressuring victims by leaking partial datasets.
- Access Monetization – Brokers selling access to corporate networks split profits 50/50 with Anubis.
2. Targeting High-Value Sectors
Anubis has already attacked healthcare and construction firms, including:
- Pound Road Medical Centre (Australia) – Stolen patient data leaked on dark web forums.
- Summit Home Health (Canada) – 7,300 medical records exposed after failed negotiations.
- Comercializadora S&E (Peru) & an unnamed U.S. construction firm – Corporate network access exploited for financial gain.
3. Ransomware with a PR Strategy
Unlike traditional ransomware gangs, Anubis adds investigative-style reports on victims, leveraging regulatory threats (GDPR penalties, legal actions) to force payments. Their leak site on the dark web is used to increase pressure.
4. Advanced Operational Tactics
– Uses ChaCha+ECIES encryption for secure ransomware deployment.
- Escalates privileges to NT AUTHORITY\SYSTEM for deeper system access.
- Affiliates receive real-time attack progress reports on CryptPad.
- Focus on high-value targets, avoiding government, education, and non-profits.
What Undercode Says: The Growing Industrialization of Cybercrime
Anubis is not just another ransomware gang—it represents a strategic shift in cybercrime. By blending ransomware, data extortion, and access brokerage, they have created an all-in-one criminal ecosystem.
1. The Rise of Hybrid Ransomware Models
Traditional ransomware relied solely on encryption and ransom demands. Anubis, however, has embraced a multi-layered approach:
– Encryption-based extortion remains their core method.
- Data extortion forces victims to pay even if they restore backups.
- Access selling allows cybercriminals to monetize corporate vulnerabilities.
This diversification means that companies are no longer just facing encryption threats—they are also at risk of prolonged data exposure and network infiltration.
2. Increased Specialization Among Cybercriminals
Anubis’ three-tier affiliate model demonstrates the increasing specialization within cybercrime. Unlike traditional RaaS groups that focus on distributing malware, Anubis recruits experts in different fields:
– Penetration specialists sell network access.
– Ransomware operators handle deployment and encryption.
- Data extortionists focus on maximizing payouts through public shaming.
This approach mirrors corporate business structures, highlighting cybercrime’s evolution into a professionalized industry.
3. The Power of Psychological Warfare
Anubis doesn’t just rely on encryption—they weaponize reputational damage. By publishing stolen data, they force victims into public negotiations, increasing pressure to pay ransoms.
The fear of GDPR penalties is a powerful tool against European companies, making them more likely to comply with ransom demands. This legal pressure tactic has been observed in previous groups like ALPHV, but Anubis has taken it to the next level.
4. A Sign of Ransomware’s Future?
Anubis represents the next stage of ransomware evolution, with:
- Increased automation – Self-propagating malware speeds up attacks.
- Refined target selection – Only attacking businesses likely to pay.
- Hybrid revenue streams – Monetizing access, data, and encryption.
This industrialization of cybercrime makes it harder for companies to defend against ransomware groups that operate like businesses rather than traditional hackers.
5. Defensive Measures for Businesses
To combat groups like Anubis, companies should:
– Enhance network segmentation to limit ransomware spread.
- Monitor for unauthorized access to detect breaches early.
- Implement strict backup policies to recover from attacks.
- Increase employee cybersecurity awareness to prevent phishing-based access.
With cybercrime becoming increasingly professionalized, businesses must adapt their defenses accordingly.
Fact Checker Results
- Anubis’ ransomware capabilities are consistent with known advanced malware, but their self-propagation claims remain unverified.
- Their hybrid monetization strategy aligns with recent cybercrime trends, particularly in ransomware diversification.
- KELA’s reports confirm the group’s dark web presence and affiliate recruitment strategy, validating their rapid growth in 2025.
References:
Reported By: https://cyberpress.org/new-anubis-ransomware-targets-windows-linux-nas-and-esxi/
Extra Source Hub:
https://www.stackexchange.com
Wikipedia: https://www.wikipedia.org
Undercode AI
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2
