Anubis ransomware adds wiper to destroy files beyond recovery
The Anubis ransomware-as-a-service (RaaS) operation has added to its file-encryptimg malware a wiper module that destroys targeted files, making recovery impossible even if the ransom is paid. Anubis (not to be confused with the same-name Android malware with a ransomware module) is a relatively new RaaS first observed in December 2024 but became more active at the beginning of the year. On February 23, the operators announced an affiliate program on the RAMP forum.
A report from KELA at the time explained that Anubis offered ransomware affiliates an 80% share of their proceeds. Data extortion affiliates were offered a 60%, and initial access brokers a 50% cut.
Currently, Anubis’ extortion page on the dark web lists only eight victims, indicating that it could increase the attack volume once confidence in the technical aspect is strengthened. On that front, a Trend Micro report published yesterday contains evidence that the operators of Anubis are actively working on adding new features, an unusual one being a file-wiping function.
The researchers found the wiper in the latest Anubis samples they dissected, and believe the feature was introduced to increase the pressure on the victim to pay quicker instead of stalling negotiations or ignoring them altogether.
Read More: