Overview
Anubis is a newly emerged Ransomware-as-a-Service (RaaS) operator active since December 2024. It uniquely combines double‑extortion—encrypting and exfiltrating data—with an optional file-wiping mechanism (/WIPEMODE) that zeroes out files post-encryption, making recovery nearly impossible. Anubis targets Windows, Linux, NAS, and ESXi systems across sectors—including healthcare, construction, and hospitality—in Australia, Canada, Peru, the U.S., and beyond.
Known Aliases
- Sphinx (development codename)
- superSonic (RAMP forum handle)
- Anubis__media (XSS forum handle)
Country of Origin
- Likely Russian-speaking operators, based on affiliate posts on RAMP/XSS forum.
Known Attacks & Victims
- Dec 29, 2024 – First claimed victim: Pound Road Medical Centre, Australia.
- ~7 victims listed on Anubis leak site by mid‑2025, including organizations in healthcare, construction, engineering, and hospitality across Australia, Canada, Peru, and the U.S, full details remains undisclosed.
Common Infiltration Methods
- Spear‑phishing: Malicious attachments or links introducing executable payloads.
- Privilege elevation: Checks for admin rights; uses token manipulation to gain SYSTEM privileges.
- Shadow copy deletion: Removes recovery points before encryption.
- Execution options: Offers parameters like
/KEY=,/elevated,/WIPEMODE,/PATH=for target control. - File wiping: Executes wipe mode to zero files—while retaining names and structure—to deepen impact.
MITRE ATT&CK Tactics & Techniques
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Phishing via spear-phishing attachments/links | T1566 |
| Execution | Command and scripting interpreter | T1059 |
| Defense Evasion | Valid Accounts | T1078 |
| Privilege Escalation | Access Token Manipulation | T1134.002 |
| Defense Evasion | Obfuscated files/information | T1027 |
| Defense Evasion | Disabling shadow copies | T1070.004 |
| Defense Evasion | Sandbox/virtualization detection | T1497 |
| Impact | Data encryption (ECIES algorithm; .anubis ext.) | T1486 |
| Impact | Data wiping (wipe mode parameter /WIPEMODE) | — |
Malware Strains Used
- Anubis Ransomware – Modular cross-platform encryptor/wiper written in ChaCha+ECIES; supports Windows, Linux, NAS, ESXi.
- Formerly known as Sphinx in early development stages.
Indicators of Compromise (IOCs)
File Extensions & Ransom Notes
- Encrypted files:
*.anubis - Ransom note: HTML files (e.g.,
README.html)
Command-line Parameters
Monitored operations include:
swiftCopyEdit/KEY=<30+ alphanumeric> /WIPEMODE
and flags for /elevated, /PATH=, /EXCLUDE=
Behavioral Patterns
- Shadow copy deletion
- Sandbox/virtualized environment detection
- Attempted desktop wallpaper changes bleepingcomputer.com+1foresiet.com+1trendmicro.com
IOC Handling in Trend Micro
Trend Vision One detects API misuse patterns like:
swiftCopyEditprocessCmd: /\/KEY=[A-Za-z0-9]{30,} \/(?:WIPEMODE|elevated)/
Infrastructure
- Affiliate handles:
superSonic(RAMP),Anubis__media(XSS)
Additional Details
- Affiliate model: Offers revenue splits of 80% (ransomware), 60% (data extortion), 50% (access monetization).
- Targets broad platforms: Supports Windows, Linux, NAS, ESXi; includes self-propagation across domains.
- Forum presence: Operators active on Russian-speaking forums (“superSonic” on RAMP, “Anubis__media” on XSS).
- Infrastructure leak site lists seven victims on onion blog; data extortion used to pressure payments.
- Dual threat: Encryption coupled with destructive wiping raises stakes and potentially appeals to destructive affiliates or nation-state.
