Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper

June 13, 2025, 8:20 p.m.

Description

Anubis is a new ransomware-as-a-service (RaaS) group that combines file encryption with file destruction capabilities. Active since December 2024, it features a 'wipe mode' that permanently erases files, making recovery impossible even if ransom is paid. The group operates a flexible affiliate program, offering negotiable revenue splits and supporting additional monetization paths like data extortion and access sales. Anubis has claimed victims in multiple sectors including healthcare and construction, across regions such as Australia, Canada, Peru, and the U.S. The ransomware uses spear-phishing for initial access, employs command-line execution, privilege escalation, and shadow copy deletion. Its encryption algorithm is similar to EvilByte/Prince ransomware, using Elliptic Curve Integrated Encryption Scheme (ECIES).

External References

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/f/anubis--a-closer-look-at-an-emerging-ransomware-with-built-in-wiper/Anubis_A_Closer_Look_at_a_Emerging_Ransomware_with_Built-in_Wiper_IOCs.txt
https://www.trendmicro.com/en_us/research/25/f/anubis-a-closer-look-at-an-emerging-ransomware.html
https://otx.alienvault.com/pulse/684c2fe6967baf56de752b66
Tags
privilege-escalation
ransomware-as-a-service
spear-phishing
2025-06-13
file-wiping
anubis
ecies-encryption
sphinx

Date

  • Created: June 13, 2025, 2:04 p.m.
  • Published: June 13, 2025, 2:04 p.m.
  • Modified: June 13, 2025, 8:20 p.m.

Attack Patterns

  • Anubis

Additional Informations

  • Construction
  • Healthcare
  • Australia
  • Peru
  • Canada
  • United States of America