A new ransomware-as-a-service operation has emerged in the cyberthreat landscape, introducing a devastating capability that sets it apart from conventional ransomware families.
Anubis ransomware combines traditional file encryption with a destructive “wipe mode” feature that permanently erases file contents, making recovery impossible even if victims pay the ransom demands.
This dual-threat approach represents a significant escalation in ransomware tactics, moving beyond simple encryption to complete data destruction.
The Anubis group officially launched its operations in early 2025, building upon earlier development work traced back to December 2024 when the group first appeared on social media platforms.
The ransomware evolved from an earlier variant called Sphinx, which appeared to be in developmental stages, lacking essential components like a TOR site and unique victim identifiers in its ransom notes.
When researchers compared the binaries of Anubis and Sphinx, they found them to be highly identical, with only minor differences in the ransom note generation function, suggesting a rebranding of the core malware.
Trend Micro analysts identified this emerging threat and documented its sophisticated attack methodology, which begins with spear phishing campaigns targeting organizations across multiple sectors.
The group has demonstrated an opportunistic approach, claiming victims in healthcare, engineering, and construction industries across Australia, Canada, Peru, and the United States.
Representatives of the Anubis operation have been observed on cybercrime forums RAMP and XSS, using the monikers “supersonic” and “Anubis__media” respectively, advertising flexible affiliate programs with negotiable revenue-share structures.
The ransomware employs multiple attack vectors, with initial access typically gained through carefully crafted phishing emails containing malicious attachments or links designed to appear from trusted sources.
Once executed, Anubis requires specific command-line parameters to function properly, including /KEY= for authentication, /elevated for privilege escalation, /WIPEMODE for destructive operations, /PFAD= for directory exclusions, and /PATH= for targeting specific encryption paths.
The malware demonstrates sophisticated privilege escalation capabilities, checking for administrative rights by attempting to access the system’s primary physical drive and displaying interactive prompts when elevated permissions are detected.
The Destructive Wipe Mode Functionality
What distinguishes Anubis from other ransomware families is its devastating wipe mode capability, activated through the /WIPEMODE parameter during execution.
This feature goes beyond traditional encryption by permanently destroying file contents, ensuring that even successful ransom payments cannot restore the affected data.
The wiper functionality operates by completely erasing file contents while maintaining the file structure, resulting in files that appear in directory listings but contain zero bytes of data.
The technical implementation of this destructive capability involves systematic overwriting of file contents, making traditional data recovery methods ineffective.
Unlike conventional ransomware that encrypts files using algorithms like the Elliptic Curve Integrated Encryption Scheme (ECIES) employed by Anubis for its standard encryption operations, the wipe mode bypasses encryption entirely and proceeds directly to data destruction.
This approach creates an irreversible scenario where victims face total data loss regardless of their willingness to pay ransom demands.
Anubis also incorporates additional destructive tactics designed to hinder system recovery efforts.
The ransomware executes the command vssadmin delete shadows /for=norealvolume /all /quiet to eliminate all Volume Shadow Copies on affected systems, effectively removing built-in Windows recovery options.
This systematic approach to destroying recovery mechanisms, combined with the wipe mode feature, creates a multi-layered attack designed to maximize damage and pressure victims into compliance while simultaneously making recovery impossible through conventional means.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
