A wiper module makes the Akira ransomware more effective than before. Even if victims pay the ransom, they lose their data. The question is whether this strategy will remain successful for the attackers.
The relatively new group, which first came to public attention at the end of last year, is experimenting freely. Trend Micro discovered the new module in recent Anubis samples. The software is designed to thwart recovery operations even after the initial encryption, the security company explains. Trend Micro sees this extra destructive nature as a competitive advantage.
Destructive wiper as a means of pressure
The wiper function is activated via the command-line parameter ‘/WIPEMODE’ with key-based authentication. When activated, the wiper deletes all file contents and reduces files to 0 KB, but the file names and folder structures remain intact. Victims can still see their files, but the contents are permanently lost.
Anubis supports various commands as soon as it is launched, including privilege escalation and directory exclusions. Important system and program folders are spared to prevent complete unusability. The ransomware also deletes Volume Shadow Copies and terminates processes that could interfere with the encryption.
Technical details of the attack
The encryption system uses ECIES (Elliptic Curve Integrated Encryption Scheme). Researchers see similarities with the EvilByte and Prince ransomware variants. Encrypted files are given the ‘.anubis’ extension, while an HTML ransom note is placed in affected directories.
Attacks usually start with phishing emails containing malicious links or attachments. The malware also attempts to change the desktop background, although this often fails according to the researchers. If it does succeed, victims know almost immediately that something is wrong.
Growing but limited operation
Anubis first appeared on the security radar in December 2024 and became more active in the first months of this year. On February 23, the leaders announced an affiliate program on the RAMP forum, in which ransomware affiliates receive 80 percent of the proceeds. Data extortion yields 60 percent, while brokers for initial access receive 50 percent. This makes Anubis a perfect fit for the modern RaaS landscape, with something for every skill level.
The group has so far listed eight victims on their dark web extortion site, so its effectiveness is limited. However, the tactics used make a compromise disastrous. The wiper functionality makes this new RaaS group more dangerous than many established names, despite its limited size. However, it also ruins negotiations when victims realize that Anubis has already deleted their files for good.
Read also: Bring Your Own Malware: ransomware innovates again
