Anubis A Closer Look at an Emerging Ransomware with Builtin Wiper Trend Micro US
pBusinessppImprove your risk posture with attack surface managementppSecurity that enables business outcomesppGain visibility and meet business needs with securityppConnect with confidence from anywhere on any deviceppSecure users and key operations throughout your environmentppMove faster than your adversaries with powerful purposebuilt XDR cyber risk exposure management and zero trust capabilitiesppMaximize effectiveness with proactive risk reduction and managed servicesppUnderstand your attack surface assess your risk in real time and adjust policies across network workloads and devices from a single consoleppDrive business value with measurable cybersecurity outcomesppSee more act fasterppEvolve your security to mitigate threats quickly and effectivelyppEnsure code runs only as intendedppGain visibility and control with security designed for cloud environmentsppProtect patient data devices and networks while meeting regulationsppStop threats with easytouse solutions designed for your growing businessppBridge threat protection and cyber risk managementppStop breaches before they happenppRealistic phishing simulations and training campaigns to strengthen your first line of defenseppStop adversaries faster with a broader perspective and better context to hunt detect investigate and respond to threats from a single platformppThe most trusted cloud security platform for developers security teams and businessesppCloud asset discovery vulnerability prioritization Cloud Security Posture Management and Attack Surface Management all in oneppExtend visibility to the cloud and streamline SOC investigationsppSecure your data center cloud and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilitiesppSimplify security for your cloudnative applications with advanced container image scanning policybased admission control and container runtime protectionppProtect application workflow and cloud storage against advanced threatsppDefend the endpoint through every stage of an attackppStop adversaries faster with a broader perspective and better context to hunt detect investigate and respond to threats from a single platformppOptimized prevention detection and response for endpoints servers and cloud workloadsppExpand the power of XDR with network detection and responseppStop adversaries faster with a broader perspective and better context to hunt detect investigate and respond to threats from a single platformppProtect against known unknown and undisclosed vulnerabilities in your networkppRedefine trust and secure digital transformation with continuous risk assessmentsppStay ahead of phishing BEC ransomware and scams with AIpowered email security stopping threats with speed ease and accuracyppSee threats coming from miles awayppEndtoend identity security from identity posture management to detection and responseppDiscover AI solutions designed to protect your enterprise support compliance and enable responsible innovationppStrengthen your defenses with the industrys first proactive cybersecurity AI no blind spots no surprisesppThe industrys first proactive cybersecurity AIppHarness unparalleled breadth and depth of data highquality analysis curation and labeling to reveal meaningful actionable insightsppSecure your AI journey and eliminate vulnerabilities before attacks happen so you can innovate with confidenceppShaping the future of cybersecurity through AI innovation regulatory leadership and trusted standardsppPrevent detect respond and protect without compromising data sovereigntyppExtend your team with trusted 247 cybersecurity experts to predict prevent and manage breachesppAugment security teams with 247365 managed detection response and supportppAssess understand and mitigate cyber risk with strategic guidanceppAugment threat detection with expertly managed detection and response MDR for email endpoints servers cloud workloads and networksppOur trusted experts are on call whether youre experiencing a breach or looking to proactively improve your IR plansppStop breaches with the best response and detection technology on the market and reduce clients downtime and claim costsppGrow your business and protect your customers with the bestinclass complete multilayered securityppStand out to customers with competency endorsements that showcase your expertiseppDeliver proactive security services from a single partnercentric security platform built for MSPs MSSPs and DFIR teamsppWe work with the best to help you optimize performance and valueppDiscover resources designed to accelerate your businesss growth and enhance your capabilities as a Trend Micro partnerppAccelerate your learning with Trend Campus an easytouse education platform that offers personalized technical guidanceppAccess collaborative services designed to help you showcase the value of Trend Vision One and grow your businessppLocate a partner from whom you can purchase Trend Micro solutionsppRealworld stories of how global customers use Trend to predict prevent detect and respond to threatsppSee how cyber resilience led to measurable impact smarter defense and sustained performanceppMeet the people behind the protection our team customers and improved digital wellbeing ppHear directly from our users Their insights shape our solutions and drive continuous improvementppSee how Trend outperforms the competitionppCrowdstrike provides effective cybersecurity through its cloudnative platform but its pricing may stretch budgets especially for organizations seeking costeffective scalability through a true single platformppMicrosoft offers a foundational layer of protection yet it often requires supplemental solutions to fully address customers security problemsppPalo Alto Networks delivers advanced cybersecurity solutions but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investmentppInside the criminal mind Trends deep dive into cybercrimeppRead report ppCloud security that leads Centralized multilayered protection now named a CNAPP Leader by IDCppRead IDC evaluation ppDemo Series Mastering Exposure ManagementppProactively uncover and manage cyber risk ppHighSpeed Threats Cybersecurity in MotorsportppInside the race to stay digitally secure ppGoogle Acquires Wiz A New Era for CloudNative SecurityppLearn more ppInside Vision One Turning Threat Intel Into ProtectionppLearn more ppContent has been added to your FolioppRansomwareppAnubis is an emerging ransomwareasaservice RaaS group that adds a destructive edge to the typical doubleextortion model with its filewiping feature We explore its origins and examine the tactics behind its dualthreat approachppBy Maristel Policarpio Sarah Pearl Camiling Sophia Nilette Robles
June 13 2025
Read time words
ppSave to FolioppA new ransomwareasaservice RaaS group has emerged and has been making a name for itself in 2025 Anubis is a recently identified group that sets itself apart by partnering encryption with more destructive capabilitieswiping directories which severely impact chances of file recovery Given its brief history and use of a multilayered extortion model Anubis has all the markings of an evolving and flexible RaaS operationppTrend Research has observed specific command line operations for these destructive actions including attempts to change system settings and wipe directories This entry takes a closer look into these capabilities ppAnubis joined the X formerly Twitter in December 2024 Around the same time our team identified a sample called Sphinx which appeared to be in development evidenced by its ransom note that lacked both a TOR site and a unique ID as shown in Figure 1ppWhen we compared the binaries of Anubis and Sphinx they were highly identical with only a minor differencethe function that generated the ransom note These observations suggest that while the core of the malware remained the same the messaging and branding were updated for the malwares eventual debut as AnubisppBy 2025 Anubis officially became active on cybercrime forums Representatives of Anubis have been observed on both RAMP and XSS using the monikers supersonic and Anubismedia respectively Both accounts posted in RussianppOn February 23 2025 superSonic advertised a new format of affiliate programs on the RAMP forum All their proposed revenueshare structures are open to negotiation for longterm cooperation Other research has already covered the groups RAMP posting which outlines Anubiss capabilities along with the structure of their affiliate programs This is notable because the group appears to go beyond typical RaaS and double extortion for monetization offering additional affiliate programs such as a data ransomware affiliate program and an access monetization affiliate programppIn terms of activity seven victims have been listed on the groups leak site as of writing The group has targeted a range of industries including healthcare engineering and construction across multiple regions such as Australia Canada Peru and the United States The wide range of targets suggests an opportunistic approach across different regions and industriesppWhat further sets Anubis apart from other RaaS and lends an edge to its operations is its use of a file wiping feature designed to sabotage recovery efforts even after encryption This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack Figure 2 outlines the techniques Anubis uses to deliver execute and enforce this dualthreat behaviorppInitial AccessppT1566 PhishingppThe initial entry vector is established through spear phishing emails that include malicious attachments or links These emails are carefully constructed to appear as if they come from trusted sources luring recipients into opening the attachments or clicking the linksppExecutionppT1059 Command and Scripting InterpreterppThe ransomware takes multiple parameters as input and depends on them to function properlyppTable 1 Anubis parametersppDefense EvasionppT1078 Valid AccountsppThe process first checks for admin privileges and if detected displays the message Admin privileges detected Attempting to elevate to SYSTEMppOtherwise it prompts the user with No admin privileges Start process anyway and waits for input while also having the capability to relaunch itself with the elevated parameter upon gaining higher privileges These interactive prompts show that the malware is still being improved and developedppPrivilege EscalationppT1134002 Access Token Manipulation Create Process with Token ppThe program performs a check to determine if the current user has administrative privileges by attempting to access the systems primary physical drive typically referred to as PHYSICALDRIVE0 This is a lowlevel operation that generally requires elevated permissionppThe code checks if the current user has special permissions administrative rights by trying to access the main hard drive of the computerppDiscoveryppT1083 File and Directory DiscoveryppHere is the list of folders avoided during encryptionppImpactppT1490 Inhibit System RecoveryppThe ransomware runs the command vssadmin delete shadows fornorealvolume all quiet to delete all Volume Shadow Copies on the specified drive thereby inhibiting the ability to restore files from previous versionsppT1489 Service StopppFor a full list of terminated processes and disabled or stopped services refer to the list of Indicators of Compromise IoCsppT1486 Data Encrypted for ImpactppThe encryption uses Elliptic Curve Integrated Encryption Scheme ECIES and is publicly available in GitHub written in GoppUpon checking the ECIES library for its encryption algorithm is similar to EvilBytePrince ransomwareppDrops Icons and Wallpaper ImageppThe code extracts two files iconico and walljpg from the program and saves them to the computers CProgramdata folderppIt modifies the icons of encrypted files to instead use its logo which is shown in Figure 9ppIt also attempts to change the wallpaper using a file named walljpg but this action failed in our testing since no such file was droppedppThe Anubis ransom note employs a double extortion strategy threatening to publicly release stolen data if their demands are not fulfilledppT1485 Data DestructionppWiperppAdditionally the ransomware includes a wiper feature using WIPEMODE parameter which can permanently delete the contents of a file preventing any recovery attemptppFigures 14 and 15 show the before and after using the wipe mode which erases the contents of the fileppTable 2 Summary of TTPs used by AnubisppThe emergence of the Anubis marks a significant evolution in the landscape of cyberthreats particularly with its dualthreat ransomware capabilities and flexible affiliate programs By combining RaaS with added monetization strategies such as data ransomware and access monetization affiliate programs Anubis is maximizing its revenue potential and expanding its reach within the cybercriminal ecosystem Its ability to both encrypt and permanently destroying data significantly raises the stakes for victims amplifying the pressure to complyjust as strong ransomware operations aim to doppGiven the tactics discussedsuch as spearphishing commandline execution privilege escalation shadow copy deletion and file wipingsecurity measures that address these are critical in defending against Anubis Additionally maintaining offline and offsite backups can help mitigate the impact of Anubiss wiping capabilitiesppTo proactively defend against attacks utilizing Anubis ransomware enterprises should implement a comprehensive security strategy that includes the following best practicesppTrend Vision One is the only AIpowered enterprise cybersecurity platform that centralizes cyber risk exposure management security operations and robust layered protection This comprehensive approach helps you predict and prevent threats accelerating proactive security outcomes across your entire digital estate Backed by decades of cybersecurity leadership and Trend Cybertron the industrys first proactive cybersecurity AI it delivers proven results a 92 reduction in ransomware risk and a 99 reduction in detection time Security leaders can benchmark their posture and showcase continuous improvement to stakeholders With Trend Vision One youre enabled to eliminate security blind spots focus on what matters most and elevate security into a strategic partner for innovationppTo stay ahead of evolving threats Trend customers can access Trend Vision One Threat Insights which provides the latest insights from Trend Research on emerging threats and threat actors ppEmerging Threats Anubis Ransomware The Dual Threat of Encryption and DestructionppAnubis Ransomware The Dual Threat of Encryption and DestructionppTrend Vision One Search AppppTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment ppDetection of Potentially Malicious Command ExecutionppprocessCmd KEYAZaz0930 WIPEMODEelevatedppMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabledppThe indicators of compromise for this entry can be found hereppMaristel PolicarpioppThreat AnalystppSarah Pearl CamilingppThreat HunterppSophia Nilette RoblesppThreat AnalystppSelect a country regionppExperience our enterprise cybersecurity platform for freep
June 13 2025
Read time words
ppSave to FolioppA new ransomwareasaservice RaaS group has emerged and has been making a name for itself in 2025 Anubis is a recently identified group that sets itself apart by partnering encryption with more destructive capabilitieswiping directories which severely impact chances of file recovery Given its brief history and use of a multilayered extortion model Anubis has all the markings of an evolving and flexible RaaS operationppTrend Research has observed specific command line operations for these destructive actions including attempts to change system settings and wipe directories This entry takes a closer look into these capabilities ppAnubis joined the X formerly Twitter in December 2024 Around the same time our team identified a sample called Sphinx which appeared to be in development evidenced by its ransom note that lacked both a TOR site and a unique ID as shown in Figure 1ppWhen we compared the binaries of Anubis and Sphinx they were highly identical with only a minor differencethe function that generated the ransom note These observations suggest that while the core of the malware remained the same the messaging and branding were updated for the malwares eventual debut as AnubisppBy 2025 Anubis officially became active on cybercrime forums Representatives of Anubis have been observed on both RAMP and XSS using the monikers supersonic and Anubismedia respectively Both accounts posted in RussianppOn February 23 2025 superSonic advertised a new format of affiliate programs on the RAMP forum All their proposed revenueshare structures are open to negotiation for longterm cooperation Other research has already covered the groups RAMP posting which outlines Anubiss capabilities along with the structure of their affiliate programs This is notable because the group appears to go beyond typical RaaS and double extortion for monetization offering additional affiliate programs such as a data ransomware affiliate program and an access monetization affiliate programppIn terms of activity seven victims have been listed on the groups leak site as of writing The group has targeted a range of industries including healthcare engineering and construction across multiple regions such as Australia Canada Peru and the United States The wide range of targets suggests an opportunistic approach across different regions and industriesppWhat further sets Anubis apart from other RaaS and lends an edge to its operations is its use of a file wiping feature designed to sabotage recovery efforts even after encryption This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack Figure 2 outlines the techniques Anubis uses to deliver execute and enforce this dualthreat behaviorppInitial AccessppT1566 PhishingppThe initial entry vector is established through spear phishing emails that include malicious attachments or links These emails are carefully constructed to appear as if they come from trusted sources luring recipients into opening the attachments or clicking the linksppExecutionppT1059 Command and Scripting InterpreterppThe ransomware takes multiple parameters as input and depends on them to function properlyppTable 1 Anubis parametersppDefense EvasionppT1078 Valid AccountsppThe process first checks for admin privileges and if detected displays the message Admin privileges detected Attempting to elevate to SYSTEMppOtherwise it prompts the user with No admin privileges Start process anyway and waits for input while also having the capability to relaunch itself with the elevated parameter upon gaining higher privileges These interactive prompts show that the malware is still being improved and developedppPrivilege EscalationppT1134002 Access Token Manipulation Create Process with Token ppThe program performs a check to determine if the current user has administrative privileges by attempting to access the systems primary physical drive typically referred to as PHYSICALDRIVE0 This is a lowlevel operation that generally requires elevated permissionppThe code checks if the current user has special permissions administrative rights by trying to access the main hard drive of the computerppDiscoveryppT1083 File and Directory DiscoveryppHere is the list of folders avoided during encryptionppImpactppT1490 Inhibit System RecoveryppThe ransomware runs the command vssadmin delete shadows fornorealvolume all quiet to delete all Volume Shadow Copies on the specified drive thereby inhibiting the ability to restore files from previous versionsppT1489 Service StopppFor a full list of terminated processes and disabled or stopped services refer to the list of Indicators of Compromise IoCsppT1486 Data Encrypted for ImpactppThe encryption uses Elliptic Curve Integrated Encryption Scheme ECIES and is publicly available in GitHub written in GoppUpon checking the ECIES library for its encryption algorithm is similar to EvilBytePrince ransomwareppDrops Icons and Wallpaper ImageppThe code extracts two files iconico and walljpg from the program and saves them to the computers CProgramdata folderppIt modifies the icons of encrypted files to instead use its logo which is shown in Figure 9ppIt also attempts to change the wallpaper using a file named walljpg but this action failed in our testing since no such file was droppedppThe Anubis ransom note employs a double extortion strategy threatening to publicly release stolen data if their demands are not fulfilledppT1485 Data DestructionppWiperppAdditionally the ransomware includes a wiper feature using WIPEMODE parameter which can permanently delete the contents of a file preventing any recovery attemptppFigures 14 and 15 show the before and after using the wipe mode which erases the contents of the fileppTable 2 Summary of TTPs used by AnubisppThe emergence of the Anubis marks a significant evolution in the landscape of cyberthreats particularly with its dualthreat ransomware capabilities and flexible affiliate programs By combining RaaS with added monetization strategies such as data ransomware and access monetization affiliate programs Anubis is maximizing its revenue potential and expanding its reach within the cybercriminal ecosystem Its ability to both encrypt and permanently destroying data significantly raises the stakes for victims amplifying the pressure to complyjust as strong ransomware operations aim to doppGiven the tactics discussedsuch as spearphishing commandline execution privilege escalation shadow copy deletion and file wipingsecurity measures that address these are critical in defending against Anubis Additionally maintaining offline and offsite backups can help mitigate the impact of Anubiss wiping capabilitiesppTo proactively defend against attacks utilizing Anubis ransomware enterprises should implement a comprehensive security strategy that includes the following best practicesppTrend Vision One is the only AIpowered enterprise cybersecurity platform that centralizes cyber risk exposure management security operations and robust layered protection This comprehensive approach helps you predict and prevent threats accelerating proactive security outcomes across your entire digital estate Backed by decades of cybersecurity leadership and Trend Cybertron the industrys first proactive cybersecurity AI it delivers proven results a 92 reduction in ransomware risk and a 99 reduction in detection time Security leaders can benchmark their posture and showcase continuous improvement to stakeholders With Trend Vision One youre enabled to eliminate security blind spots focus on what matters most and elevate security into a strategic partner for innovationppTo stay ahead of evolving threats Trend customers can access Trend Vision One Threat Insights which provides the latest insights from Trend Research on emerging threats and threat actors ppEmerging Threats Anubis Ransomware The Dual Threat of Encryption and DestructionppAnubis Ransomware The Dual Threat of Encryption and DestructionppTrend Vision One Search AppppTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment ppDetection of Potentially Malicious Command ExecutionppprocessCmd KEYAZaz0930 WIPEMODEelevatedppMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabledppThe indicators of compromise for this entry can be found hereppMaristel PolicarpioppThreat AnalystppSarah Pearl CamilingppThreat HunterppSophia Nilette RoblesppThreat AnalystppSelect a country regionppExperience our enterprise cybersecurity platform for freep
