Anubis Ransomware – Destructive Wipe Mode Guarantees Irreversible Data Loss

The cybersecurity world is on high alert as a new, highly destructive ransomware group known as Anubis emerges with a devastating dual-threat model.

Unlike typical ransomware, Anubis not only encrypts files but also boasts a unique “wipe mode” that ensures data destruction is irreversible, even if victims pay the ransom.

Active since December 2024, this Ransomware-as-a-Service (RaaS) operation has already claimed victims in sectors such as healthcare, engineering, and construction, spanning multiple continents, including Australia, Canada, Peru, and the United States.

Anatomy of the Attack

Anubis is distinguished by its advanced architecture and flexible affiliate program, making it a favorite among cybercriminals.

The malware is primarily distributed through sophisticated spear-phishing campaigns, emails carefully crafted to appear as if they come from trusted sources, enticing recipients into opening malicious attachments or clicking on dangerous links.

Once inside, Anubis leverages command-line parameters to control its behavior, such as:

• /KEY= – Unique encryption key
• /elevated – Escalates privileges
• /WIPEMODE – Activates the wipe function
• /PFAD= and /PATH= – Defines directories to exclude or target

The ransomware checks for administrative privileges, prompting the user if none are detected, and can relaunch itself with elevated rights to ensure maximum impact.

It systematically avoids system and application folders to maintain a low profile before launching its destructive payload.

Technical Sophistication and Impact

The true horror of Anubis lies in its dual-threat model. In addition to encrypting files, marking them with the “.anubis” extension, and changing their icons, Anubis can wipe file contents via its “/WIPEMODE” function.

This process is shockingly effective: files remain on the system, but their contents are permanently erased, rendering recovery impossible.

This feature is paired with the deletion of Volume Shadow Copies using the command vssadmin delete shadows /for=norealvolume /all /quiet, further thwarting victims from restoring previous versions of their files.

Anubis’s encryption relies on the Elliptic Curve Integrated Encryption Scheme (ECIES), implemented in Go, similar to prior ransomware strains like EvilByte and Prince.

Its use of open-source cryptographic libraries demonstrates both technical competence and a willingness to evolve.

The malware also attempts to modify system icons and wallpapers as part of its psychological intimidation tactics, though these features did not always function as intended in recent deployments.

Urgent Defensive Recommendations

To counter the Anubis threat, organizations must adopt a comprehensive, layered security approach:

• Email and Web Safety: Train users to recognize phishing attempts and restrict access to known malicious sites.
• Backup Strategies: Maintain offline, immutable backups and regularly test disaster recovery plans.
• Access Controls: Limit administrative privileges and routinely review user access rights.
• Security Monitoring: Deploy advanced endpoint protection, regular scanning, and SIEM solutions to detect anomalous activity.
• User Education: Conduct ongoing cybersecurity awareness training to reduce the risk of human error.

Security experts recommend solutions such as Trend Vision One™, which leverages AI-driven threat intelligence and centralized risk management to detect and block Anubis’s indicators of compromise.

With its 92% reduction in ransomware risk and rapid detection capabilities, Trend’s approach exemplifies the robust, proactive defense required to withstand today’s most destructive cyberthreats.

Anubis represents a dangerous evolution in ransomware, combining data theft, encryption, and irreversible destruction.

Its flexible affiliate model and multi-layered extortion strategies ensure rapid spread and maximum damage. Only a vigilant, informed, and proactive defense can hope to stem the tide of this formidable cyber menace.