Five ransomware groups posted seven victims across four countries on June 5 in a multi-sector posting batch distinguished by one capability that separates Anubis from the rest: a wiper mode that permanently destroys file contents rather than encrypting them, eliminating the possibility of recovery entirely. Anubis claimed Jeffrey Burr, a US estate planning and business law firm, and D&M Contractors in the UK — targets whose data is irreplaceable in ways that amplify the threat of permanent erasure well beyond the victimized organizations.
Anubis WIPEMODE: Permanent Erasure at Jeffrey Burr Law Firm and D&M Contractors
Standard ransomware operates on an extortion premise: files are encrypted, a key exists, and payment delivers recovery. Anubis’s optional /WIPEMODE parameter eliminates that premise by permanently overwriting file contents to zero kilobytes. The files remain listed in directory structures but their contents are irrevocably destroyed — no decryption key exists, no backup restores them, and no forensic technique recovers the original data. Anubis deploys wiper activation as a second-stage pressure tactic against victims who refuse to enter ransom negotiations, converting a reversible situation into an irreversible one at the operator’s discretion.
Anubis’s 77-Victim RaaS Model and the WIPEMODE Pressure Escalation
Anubis emerged as a ransomware-as-a-service operation in December 2024 and has claimed 77 victims as of early June 2026, with 43 in the United States. Its documented sector targeting spans healthcare, construction, legal services, and engineering — organizations that hold sensitive or operationally critical data with limited capacity for extended disruption. The WIPEMODE capability is not a default behavior; it is a negotiation instrument, escalated when a victim fails to respond to initial ransom contact. For organizations that cannot afford to lose their data under any circumstances, the mere existence of the wiper option fundamentally changes whether non-payment is viable.
Why WIPEMODE Against Jeffrey Burr Estate Records Creates Irreversible Client Harm
Jeffrey Burr — identified in Anubis’s posting as likely the Jeffrey Burr Estate Planning and Business Law firm in Las Vegas, Nevada — holds wills, trust documents, family asset inventories, estate plans, and multi-generational financial records for its clients. This documentation is legally privileged and, in many cases, uniquely irreplaceable: no copy exists anywhere except at the firm and potentially in clients’ own files. If Anubis activates WIPEMODE, the destruction of those records harms not only the law firm but the clients whose estates and beneficiaries depend on the existence of that documentation. Estate planning clients did not authorize their attorneys to expose their records to a ransomware group that can delete them on command. D&M Contractors, the UK construction firm also claimed by Anubis, holds engineering drawings, subcontract agreements, and project financial records — documents that similarly cannot be regenerated after permanent erasure.
Nova Ransomware Claims Aspire Hospital India Under New DPDPA Enforcement
Nova ransomware’s claim of Aspire Hospital in India extends the group’s geographic reach — which has previously included Russian, Latin American, and Indonesian targets — into South Asian healthcare. The hospital claim is the group’s first documented victim in India’s healthcare sector.
Indian hospitals are now subject to the Digital Personal Data Protection Act, with enforcement underway. A ransomware attack against an Indian healthcare provider under this framework creates dual exposure: direct patient-care consequences from disrupted hospital systems and regulatory breach notification obligations that carry financial penalties. The DPDPA’s application to healthcare data in India represents a relatively recent legal formalization; Nova’s posting of Aspire Hospital tests how that framework responds to ransomware-caused healthcare data breaches in a sector that has historically operated without formal data protection requirements.
Securotrop Claims Kriete Truck Centers in Transportation Sector Attack
Securotrop, a less-documented ransomware group in an apparent operational active phase, posted Kriete Truck Centers — a US commercial truck dealership operation — as part of the same June 5 batch. Commercial truck dealerships hold fleet purchase agreements, vehicle financing records for commercial operators, VIN-linked service histories, and fleet operator financial data. This data category is commercially valuable for extortion targeting transportation sector businesses and their operators.
The June 5 posting batch — spanning Anubis, Nova, Securotrop, Akira, and Incransom across US, UK, Indian, and other targets — reflects the decentralized, industrial cadence of ransomware operations in which multiple independent groups conduct unrelated attacks simultaneously. The operative distinction in the batch is Anubis: a group whose destructive capability is not a malfunction or an escalation of last resort, but a deliberate instrument available to any operator who pays for access to the RaaS platform.
