Anubis Ransomware Evolves: New Wiper Function Makes Recovery Impossible

By /

Listen to this Post

Featured Image

A New Era of Ransomware Aggression

The cybercriminal world has taken a darker turn with the latest evolution of the Anubis ransomware-as-a-service (RaaS) platform. First spotted in late 2024, this malicious tool has already built a reputation for aggressive tactics, but its most recent upgrade introduces a game-changing weapon: a file wiper module. This enhancement doesnā€™t just encrypt a victimā€™s dataā€”it completely destroys it, rendering recovery futile even if the ransom is paid. This drastic move signals a shift in strategy by threat actors aiming to increase pressure on victims, forcing faster compliance under the threat of total data annihilation.

Anubis RaaS: Summary of Key Developments

Anubis is a relatively recent addition to the ransomware ecosystem, first identified in December 2024 and gaining momentum into 2025. Itā€™s important to differentiate it from the Android banking malware of the same name. This Anubis is built around a Ransomware-as-a-Service (RaaS) model, allowing affiliates to use its malware to carry out attacks in exchange for a revenue share. On February 23, 2025, the group publicly launched its affiliate program on the RAMP cybercrime forum, offering attractive commission splits: 80% for ransomware deployment, 60% for data extortion partners, and 50% for access brokers.

Though its victim count remains relatively lowā€”with just eight confirmed entries on its dark web extortion siteā€”the group is actively improving its code. A recent Trend Micro analysis uncovered significant enhancements, notably the addition of a wiper module. This tool can be activated via a ā€˜/WIPEMODEā€™ command, requiring authentication to execute. Once triggered, it erases the contents of all targeted files but preserves the directory structure and filenames. This deceptive approach leaves victims believing recovery may be possible, only to discover that their data is irrevocably destroyed.

Unlike typical ransomware that holds files hostage in exchange for a decryption key, this version of Anubis leaves no path for restoration. The encryption process relies on ECIES (Elliptic Curve Integrated Encryption Scheme) and shares code traits with known ransomware families like EvilByte and Prince. Encrypted files receive the .anubis extension, and an HTML ransom note is dropped in affected folders.

Trend

What Undercode Say:

Evolution of Destructive Ransomware

Anubis represents a pivotal shift in ransomware strategyā€”from merely locking files to actively sabotaging recovery. Traditional ransomware models offered victims the illusion of hope: pay up, and get your files back. The addition of a wiper module ends that charade. By destroying file contents, Anubis exerts maximum psychological pressure. Victims can still see their directory trees, but every file is now an empty shell. This level of deception adds a cruel twist, heightening the emotional and financial toll.

Affiliates and RaaS Economics

With generous profit-sharing models, Anubis is clearly aiming to build a loyal affiliate base. These figuresā€”80% for ransomware operatorsā€”are among the highest in the underground economy, signaling an aggressive strategy to dominate the RaaS landscape. If the group succeeds in ironing out technical flaws and increasing operational support, we could see a dramatic uptick in global Anubis-driven attacks.

Unique Technical Characteristics

From a technical standpoint, the use of ECIES encryption and selective directory exclusion shows that Anubis is not a recycled piece of malware but a carefully engineered product. Its ability to remove shadow copies, kill active security processes, and avoid breaking the system completely demonstrates a sophisticated understanding of endpoint defense mechanisms. Interestingly, the inclusion of a failed attempt to change the desktop wallpaper suggests that the team is still iterating on features and experimenting with user intimidation tactics.

Psychological Warfare and Negotiation Pressure

What truly separates Anubis is its psychological impact. Ransomware already plays on fear and urgency, but the wiper module takes this to another level. Victims can no longer delay or bluff in negotiations. The message is clear: pay fast or lose everything. Itā€™s a gamble designed to extract quicker payments, particularly from organizations that cannot afford downtime or data loss.

Implications for Enterprises

Enterprises need to rethink their incident response strategies in light of this destructive trend. Traditional playbooks that rely on backups and negotiation no longer offer reliable fallbacks. Once Anubis activates its wiper, no amount of decryption will restore the lost data. This makes prevention, endpoint monitoring, and anti-phishing training more critical than ever.

Comparisons with Other Malware

Anubis draws technical inspiration from malware families like EvilByte and Prince, but adds its own spin with the file-destroying feature. Unlike other ransomware that might still allow for forensic recovery or partial data restoration, Anubis is designed for total data annihilation. This unique edge could position it as a top-tier threat in the ransomware ecosystem if it gains wider traction.

Threat Forecast

As of now, Anubis is still in its expansion phase, with only eight known victims. However, if the developers continue to iterate on its features and refine its infrastructure, the attack volume is likely to surge. Affiliates are drawn to innovation and payout potential, both of which Anubis offers in spades. Given its aggressive strategy and technical edge, it could become a major player within months.

Strategic Recommendations

Organizations must prepare for this new wave by investing in endpoint detection and response (EDR) systems, deploying automated patching solutions, and conducting frequent phishing simulations. Backups alone are no longer sufficient. Businesses should treat ransomware with wiper capabilities as a national-security-level threat due to the irreversible damage it can cause.

šŸ” Fact Checker Results:

āœ… The wiper module is real and confirmed by Trend Micro

āœ… Anubis uses ECIES encryption and advanced techniques

āŒ No public evidence yet that large enterprises have been hit

šŸ“Š Prediction:

Expect a significant rise in Anubis-related attacks by late 2025 as the affiliate network expands and the malware becomes more stable. More advanced features will likely be added, including improved stealth capabilities and integration with initial access marketplaces. Organizations that remain reactive rather than proactive will be the first to fall victim. šŸ§ØšŸ’»

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

šŸ’¬ Whatsapp | šŸ’¬ Telegram

Explore More: