Ransomware activity has skyrocketed in the ever-evolving cyber threat landscape, with Bitsight’s State of the Underground 2025 study indicating a 53% increase in ransomware group-operated leak sites and a roughly 25% increase in unique victims reported on leak sites throughout 2024.
Amid this escalation, the Anubis ransomware variant has emerged as a formidable player, first detected in November 2024.
This malware, potentially linked to Russian-speaking actors based on dark web forum communications, has rapidly gained notoriety for its sophisticated ransomware-as-a-service (RaaS) model and destructive capabilities.
Anubis targets both Android and Windows platforms, employing a blend of encryption, data exfiltration, and credential theft to maximize extortion potential.
Emerging Threat in the Ransomware Landscape
Its affiliate structure offers flexible monetization, including an 80-20 split for standard RaaS operations, escalating to 40% for Anubis when data theft is involved, and a 50-50 division for direct extortion support.
This adaptability has enabled Anubis to proliferate quickly, focusing on high-value sectors like healthcare, construction, and professional services, with confirmed incidents spanning the United States, France, Australia, and Peru.
Technically, Anubis initiates intrusions via spear-phishing campaigns, delivering malicious payloads through deceptive emails mimicking trusted entities.
On execution, it leverages command-line interpreters with parameters such as /KEY=, /elevated, /PATH=, /PFAD=, and /WIPEMODE to facilitate privilege escalation and lateral movement.
Defense evasion tactics include exploiting valid accounts to access sensitive directories, while its destructive “wipe mode” can permanently delete files, reducing them to zero-byte placeholders even post-ransom payment, thereby amplifying victim coercion.
Encryption employs the Elliptic Curve Integrated Encryption Scheme (ECIES), selectively sparing critical system paths like Windows, System32, and Program Files to maintain host viability during attacks.
On Android, Anubis masquerades as a banking trojan, deploying phishing overlays to capture credentials over legitimate apps, alongside screen recording, keylogging, and mass SMS propagation for self-dissemination.
It further locks devices, exfiltrates sensitive files to command-and-control servers, and displays ransom demands, making it a dual-threat for mobile users.
High-Profile Attacks
Anubis’s Windows variant operates as a full-fledged RaaS, incorporating access token manipulation for elevated privileges, deletion of Volume Shadow Copies to thwart recovery, and termination of system services to streamline encryption processes.
Propagation often follows initial phishing footholds, with the malware escalating to network-wide encryption and optional file wiping, ensuring data irrecoverability and heightening pressure for swift payments.
This destructive element, observed in incidents where victims faced permanent data loss despite compliance, underscores Anubis’s evolution beyond traditional ransomware, potentially aiming to deter negotiation delays or enhance psychological impact. Significant breaches attributed to Anubis highlight its focus on critical infrastructure.
In November 2024, a healthcare provider in Victoria, Australia, detected anomalous system activity, leading to an investigation that uncovered unauthorized access and exfiltration of patient data, including names, addresses, medical diagnoses, treatment details, and Medicare information.
Although not publicly confirmed as ransomware, security analysts linked the attack to Anubis, which claimed responsibility on its dark web leak site, publishing stolen records as its inaugural victim listing.
This incident prompted immediate containment measures, regulatory notifications to bodies like the Office of the Australian Information Commissioner and the Australian Cyber Security Centre, and emphasized the healthcare sector’s vulnerabilities due to the high stakes of sensitive data exposure.
According to the report, A subsequent attack in December 2024 targeted a Canadian healthcare entity, with Anubis exfiltrating and leaking data via its data leak site, further solidifying its pattern of targeting medical institutions.
These events, combined with Anubis’s cross-platform versatility and affiliate incentives, position it as a persistent threat.
Defenders are advised to monitor for indicators like unusual command-line executions, account anomalies in sensitive areas, and encryption patterns excluding system directories.
Implementing multi-factor authentication, robust email filtering, and timely patching remains essential, while advanced tools leveraging large language models for threat intelligence analysis, as noted in Bitsight’s methodologies, can enhance proactive risk mitigation in this intensifying ransomware environment.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
