Up-and-coming ransomware group Anubis has tweaked its malware to irrevocably wipe victims’ data | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The Russian-speaking ransomware-as-a-service group’s malware now includes “a file-wiping feature, designed to sabotage recovery efforts even after encryption,” says a report from Trend Micro.

“In my opinion, it goes against the ransomware business model,” said John Fokker, head of threat intelligence at Trellix. In part, he said, wiping doesn’t provide any additional “real type of leverage” for attackers as they negotiate with victims in pursuit of receiving a ransom payment.

For users of Anubis, Trend Micro said the malware’s parameters include the ability to elevate privileges, specify which directories to exclude, as well as any specific paths to encrypt. A new parameter is /WIPEMODE, which will wipe files at the time of infection, leaving their filenames intact but overwriting all contents and reducing their file size to zero kilobytes.

All of these settings “get set at the time of generating the executable that will be used to infect the company,” David Sancho, a senior threat researcher at Trend Micro, told me.

He said Anubis regularly exfiltrates data from a victim before unleashing its malware. As part of the ransomware negotiations, the group sends a summary of the stolen data – possibly generated using artificial intelligence tools – and threatens to release it publicly to various data protection agencies, he said.

The wiper capability appears to play to the ransomware having been named for the Egyptian god of the afterlife and mummification, often represented as an anthropomorphized jackal.

Anubis ransomware first appeared in December 2024, and since then has claimed a growing number of victims. Threat intelligence firm Kela said in a February report the group appears to be the work of former ransomware group affiliates. The group also has a presence on the RAMP and XSS cybercrime forums (see: Ransomware Attacks Appear to Keep Surging).

The ransomware appears to share no connection to the eponymously named mobile malware. Back in 2018, Sophos noted that the Anubis’ mobile malware’s creator built a ransomware component designed to forcibly encrypt Android files, giving them a .Anubiscrypt extension. Code for that malware leaked online in 2019, spawning spinoffs such as the Godfather banking Trojan that mimics the appearance of hundreds of financial and cryptocurrency exchange applications.

Business Questions

Why online extortionists would want to embalm files by leaving a shell with nothing inside – courtesy of the wiping feature – is an open question.

The attackers’ playbook has long included encrypting files and demanding victims pay for a decryptor. Countdown timers on infected systems add to the pressure, with attackers offering “discounts” for organizations that pay quickly. Victims often under-report such attacks, making it harder for law enforcement to track and blunt their commonly used tactics.

If an attacker sets a system to be wiped even after a victim pays, what impetus would any future victims of Anubis have to pay, even if they weren’t able to restore from backups? In theory, they might pay for a promise from attackers to not publicize the attack. But if the company can’t restore its systems from backups, nor decrypt files because they’ve been wiped, then it’s going to have bigger problems.

Wipers have historically played no part in any financially motivated ransomware attacks. The inclusion of such a capability “makes me wonder who the customers of Anubis are,” Fokker said.

Wipers have previously featured in high-profile attacks, including against Saudi Aramco in 2012, attributed to Iran, which bricked tens of thousands of workstations. Another major wiper attack involved Russia’s NotPetya fake ransomware, which caused an estimated $10 billion in global damages.

On the opening day of Russia launching its war of conquest against Ukraine in February 2022, Moscow again unleashed a wiper, in the form of AcidRain malware, permanently disabling tens of thousands of Viasat KA-SAT satellite communications network consumer broadband modems across Eastern Europe. While damaging, that and other destructive malware deployed by Moscow early in the conflict, before apparently depleting its wiper reserves, failed to give Russian forces an edge.

Given that the traditional users of wipers have been nation-state groups, it’s possible Anubis now seeks to expand its customer base and appeal to hacking teams who might want to make disruptive efforts appear to be the work of criminals.

The Kremlin is famously tolerant of the active cybercriminal underground operating inside its borders. Direct connections exist between some groups and Russian intelligence agencies (see: Evil Corp Protected by Ex-Senior FSB Official, Police Say).

The extent to which the Russian government actually treats cyber criminals as deniable auxiliaries – as opposed to useful annoyances to Western foes – isn’t entirely clear, despite the occasional surfacing of direct evidence. Which is how the Kremlin probably likes it. And how Anubis probably likes it, too.