A new ransomware group called Anubis has emerged as a significant threat in the cybersecurity landscape, targeting both Android and Windows systems with sophisticated attack methods.
First identified in November 2024, this dual-platform malware represents a growing trend in the ransomware ecosystem, which saw attacks rise by almost 25% in 2024 according to recent threat intelligence data.
Cross-Platform Capabilities Pose Dual Threat
Anubis demonstrates remarkable versatility by operating differently across platforms. On Android devices, it functions primarily as a banking trojan, employing phishing overlays to display counterfeit login interfaces over legitimate applications.
The malware captures user credentials through screen recording and keylogging capabilities, while simultaneously propagating itself via mass SMS messages sent to the victim’s contacts.
In more severe cases, it can lock devices entirely and display ransom demands. On Windows systems, Anubis operates as a comprehensive Ransomware-as-a-Service (RaaS) offering.
The malware encrypts files using the Elliptic Curve Integrated Encryption Scheme (ECIES) and employs privilege escalation techniques through access token manipulation.
Particularly concerning is its destructive capability – victims have reported permanent data deletion even after ransom payments were made, suggesting the group uses this tactic to increase pressure and deter payment delays.
Sophisticated Business Model Targets Critical Infrastructure
The ransomware group has implemented a distinctive affiliate payment structure with multiple monetization options.
In standard operations, affiliates retain 80% of ransom proceeds, while Anubis collects 20% for providing tools and infrastructure.
For attacks involving data theft and extortion campaigns, the group increases its share to 40%. When providing direct assistance during negotiations, revenue is split equally between Anubis and affiliates.
Security researchers have observed the group communicating in Russian on dark web forums, though no specific regional attribution has been confirmed.
Anubis has demonstrated a particular focus on critical infrastructure and high-value targets, including healthcare organizations, construction companies, and professional services firms across the United States, France, Australia, and Peru.
Healthcare Sector Under Active Attack
The group gained significant attention following a November 2024 attack on an Australian healthcare provider, where patient data, including contact information, medical records, and Medicare details, were potentially compromised.
This incident marked Anubis’s public emergence and highlighted the healthcare sector’s vulnerability to such attacks.
The rise of groups like Anubis reflects broader trends in the cybercriminal ecosystem, where the number of ransomware group leak sites grew by 53% in 2024.
Security experts recommend implementing multi-factor authentication, robust endpoint detection systems, and comprehensive user education programs to defend against these evolving threats.
