Anubis RaaS Malware: The Double-Edged Threat in the Cybercrime Underworld

Anubis Android Banking Malware

A Different Breed of Digital Menace

A ransomware strain known as Anubis is making waves across the cybersecurity landscape for its rare and dangerous combination of encryption and file destruction functionalities. Unlike conventional ransomware that typically encrypts data and demands a ransom for its release, Anubis also introduces a mode that irreversibly wipes data, leaving no chance of recovery—even if victims decide to pay.

First detected in December 2024, Anubis has already claimed victims in sectors as varied as healthcare, hospitality, and construction. Targets have been reported in countries including the United States, Canada, Australia, and Peru. This broad spectrum of victims highlights the malware's opportunistic nature and global scope.

What Sets Anubis Apart

Anubis operates under a ransomware-as-a-service (RaaS) model, allowing different actors, or "affiliates," to use the malware in exchange for a cut of the profits. What's particularly notable about this operation is its flexibility. Affiliates are offered customizable revenue-sharing options: 80% for ransom payments, 60% for data extortion schemes, and a 50-50 split for selling access to compromised systems.

The malware's dual-threat capability comes via a specific command-line parameter—WIPEMODE—that allows attackers to wipe files permanently. This process renders files unusable by reducing them to 0 kilobytes while preserving the original names and extensions, creating an illusion of intact files. This tactic increases pressure on victims, making them more likely to comply quickly with ransom demands in the hope of salvaging data that is already lost.

Sophistication Without Connections

Despite sharing a name with previous malware strains and tools—including an Android banking trojan and a Python-based backdoor associated with the notorious FIN7 group—this Anubis variant appears to be entirely unrelated to those threats. Instead, it represents a standalone operation, likely developed independently, with a focus on maximizing impact through stealth and persistence.

Initial investigations suggest the malware was originally named Sphinx during early testing phases, later rebranded as Anubis for public deployment. The developers appear to be deliberately distancing themselves from prior malware bearing the same name, possibly to avoid confusion or attribution.

Delivery Methods and Attack Chain

Anubis typically infiltrates systems via phishing emails, a common entry point in many modern cyberattacks. Once inside a network, the malware operators move quickly: escalating user privileges, surveying the system, and deleting volume shadow copies—Windows' built-in file backup mechanism—before proceeding to encrypt or wipe data.

These coordinated steps illustrate a calculated approach designed not just to steal or lock data but to eliminate safety nets, making remediation difficult and further tightening the pressure on victims to negotiate.

Broader Implications for Businesses and Individuals

The emergence of ransomware strains like Anubis signals a troubling evolution in cybercrime. The blend of data encryption and irreversible destruction means that organizations can no longer assume that paying a ransom will guarantee data recovery. It also underscores the need for stronger backup strategies, multi-layered cybersecurity defenses, and better phishing awareness training among employees.

The use of RaaS platforms further complicates the landscape, as it enables even low-skilled actors to participate in sophisticated attacks, significantly broadening the range of potential threats.

An Urgent Call for Preparedness

While Anubis currently appears to be limited to specific industries and geographic regions, its features suggest it could spread more widely if left unchecked. The RaaS model, with its generous revenue-sharing and customizable deployment options, makes it an attractive tool for would-be attackers worldwide.

This development is a timely reminder for organizations to review their cybersecurity policies, invest in detection tools, and—most importantly—maintain secure, offline backups of critical data. In an environment where digital threats continue to evolve, preparedness is not just a best practice—it's a necessity.

Final Thoughts

Anubis represents a shift in ransomware strategy, where extortion is no longer the only goal—destruction now plays a central role. As cybercriminal tactics evolve, so too must our defenses. Staying informed, alert, and proactive will be essential in navigating this new chapter in the ever-changing cybersecurity landscape.

By Willa
June 17, 2025
Malware, Ransomware
English
June 17, 2025
Malware, Ransomware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

2 months ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

9 months ago

Understand & Mitigate the Threat of W32.AIDetectMalware

11 months ago

Omg.adult Is An Adult-Oriented Website That Could Be Related...

6 months ago

Program:Win32/Wacapew.C!ml: A Closer Look At The Threat And...

7 months ago

Related Posts

Malware

Talisman Malware

Talisman is the name of a piece of malware discovered in mid-2022. The malware was spotted in the wild in a campaign targeting telecommunication operators located in South Asia. According to researchers, Talisman is a... Read more

May 4, 2022
Malware

Subzero Malware Employed by Private-Sector Threat Actor

Security researchers with Microsoft's Threat Intelligence Center released a report on a piece of malware developed by a private-sector threat actor. The malware in question is called Subzero and the entity using it is... Read more

August 3, 2022
Malware

HYPERSCRAPE Malware Steals Information

HYPERSCRAPE is the name of a piece of malware associated with a threat actor known under the aliases Charming Kitten, APT35 and Phosphorous. Charming Kitten is believed to be an Iranian-based threat actor that... Read more

August 26, 2022
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.