Listen to this Post

Smith Fire Systems, a U.S.-based firm providing building fire‑protection services, has been named as the latest victim of a ransomware attack carried out by the group Anubis, according to a leak post on Anubis’s dark‑web site.
RedPacket Security
+1
What Happened ( the Original Report)
On December 4, 2025, Anubis published a leak‑page claiming that Smith Fire Systems had been compromised.
RedPacket Security
+1
The post does not yet display any downloadable files, screenshots, or direct proof of exfiltration — rather, it appears as a teaser, indicating that additional data may be released at a later date.
RedPacket Security
No ransom amount, ransom note, or direct evidence of encrypted systems has been disclosed publicly; for now, the leak page only signals possible forthcoming leaks of data or more detailed disclosures.
RedPacket Security
+1
Because Smith Fire Systems provides fire‑protection services — likely including safety system schematics, building plans, client information, maintenance records — the potential impact of a data leak could be serious not only for the company’s business reputation but also for the safety and security of its clients and partner organizations.
The Broader Context: Who is Anubis — and Why This Matters
Anubis is a relatively new ransomware‑as‑a‑service (RaaS) operator, first observed under the codename “Sphinx” in late 2024 before rebranding itself.
Barrcuda Blog
+2
KELA Cyber Threat Intelligence
+2
Since then, it has rapidly expanded operations and publicized multiple alleged victims.
Cyber Security News
+2
RedPacket Security
+2
What distinguishes Anubis from many older ransomware actors is its hybrid attack model: it doesn’t just encrypt files for ransom, but also offers a “wipe mode” — a destructive option that permanently destroys the contents of targeted files, while leaving filenames and directory structures intact.
Infosecurity Magazine
+2
CIRT
+2
In some cases, victims may find that even paying a ransom will not recover their data, because wiped files are irrecoverable.
US Site
+1
The group offers multiple monetization schemes to affiliates:
A classic RaaS program (file encryption + ransom) — affiliates get about 80% of the ransom.
Barrcuda Blog
+2
KELA Cyber Threat Intelligence
+2
A “data ransom” option — data theft without encryption, where attackers threaten to publish or sell sensitive data unless paid; affiliates get around 60%.
Infosecurity Magazine
+1
“Access monetization” — selling access to compromised networks or using stolen credentials, with affiliates receiving around 50%.
Barrcuda Blog
+1
This flexibility has helped Anubis rapidly build affiliate networks and scale its operations.
Foresiet
+1
Anubis’s initial access methods typically involve spear‑phishing emails, malicious attachments or links, brute‑force attacks on remote desktops (RDP), or trojanized software updates. Once inside a network, the malware escalates privileges, disables backups and shadow copies, disables security tools, and then encrypts or wipes files — sometimes exfiltrating data first to increase extortion leverage.
Foresiet
+2
SecurityWeek
+2
By mid‑2025, Anubis reportedly listed victims from sectors such as manufacturing, construction, healthcare, and engineering — and its leak site includes enterprises from multiple countries including the United States, Australia, Canada, and Peru.
Kaspersky ICS-CERT
+2
Cyber Security News
+2
What Undercode Say: The Real Risks Behind the Headlines
When a company like Smith Fire Systems becomes a target, the consequences go far beyond the immediate inconvenience. Here’s what this attack illustrates — and why it should set off alarms for companies worldwide.
First: the erosion of safety‑net trust. Organizations relying solely on conventional backups or on paying ransom for decryption may now find those strategies obsolete. With Anubis’s wipe mode, data can be destroyed permanently — leaving even restored backups useless if ransomware operators get their hands on backups or shadow copies are deleted. This shifts the calculus for defenders: data resilience must assume worst‑case destruction, not just temporary encryption.
Second: extortion evolves beyond encryption. Because Anubis blends data exfiltration, data leak threats, and wipe or ransom options, victims face a multi‑layered pressure cooker: pay to decrypt, pay to prevent leaks, or risk permanent destruction — and still be at the mercy of adversaries. For companies dealing with safety‑critical infrastructure — like fire‑protection schematics — the stakes are much higher: leaks can expose vulnerabilities, while destruction can impair operations or compliance.
Third: the business model of cybercrime is going corporate. With affiliate‑based revenue models (80/20, 60/40, 50/50), Anubis effectively runs a criminal supply‑chain: initial‑access brokers, penetration experts, data extortion specialists, all together forming a network that lowers the barrier to entry for attackers. This allows them to scale quickly, adapt strategies, and spread risk — terrifyingly similar to legitimate SaaS business logic.
Fourth: industry and geography don’t shield you anymore. Once ransomware primarily targeted broad‑appeal sectors like finance or retail. Now, we see construction, manufacturing, engineering, critical‑infrastructure sub‑sectors under the cross‑hairs. The fact that a firm specializing in fire‑protection — a domain typically seen as “physical safety” rather than data‑centric — became a victim is a sobering indicator: no sector is immune.
Finally: the regulatory and compliance fallout looms large. For companies operating in sectors subject to strict regulations (safety standards, building codes, client confidentiality), a leak of design schematics or client data can result not only in reputational damage, but also in regulatory sanctions, insurance complications, or even legal liability. With ransom demands and leak‑threat blackmail, attackers are in a strong position to maximize their leverage.
This incident shows that cybersecurity is no longer a matter of protecting IT — it’s about protecting operations, trust, safety, and corporate viability.
Fact Checker Results
✅ Anubis has a built‑in “wipe mode” that can permanently destroy file contents beyond recovery. That functionality is described by multiple cybersecurity reports.
Infosecurity Magazine
+2
NormCyber
+2
✅ Anubis was publicly linked to the Smith Fire Systems incident on December 4, 2025. Several leak‑site tracking sources list Smith Fire Systems as a victim.
RedPacket Security
+1
❌ There is — as of now — no public evidence of exfiltrated data or decrypted files from Smith Fire Systems. The leak post contains no downloadable files or data samples.
RedPacket Security
Prediction
Expect a new wave of attacks in which the emphasis shifts from “lock and ransom” to “destroy and extort.” Organizations in safety‑critical sectors — manufacturing, construction, engineering, infrastructure — will increasingly be targeted, because attackers know they hold valuable schematics and sensitive operational data. As ransomware groups like Anubis continue to professionalize and scale their affiliate models, we may see more firms reacting too late — by which point backups, compliance, and trust have all been compromised. 🔥
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




