The Anubis ransomware-as-a-service (RaaS) operation has added to its file-encryptimg malware a wiper module that destroys targeted files, making recovery impossible even if the ransom is paid.
Anubis (not to be confused with the same-name Android malware with a ransomware module) is a relatively new RaaS first observed in December 2024 but became more active at the beginning of the year.
On February 23, the operators announced an affiliate program on the RAMP forum.
A report from KELA at the time explained that Anubis offered ransomware affiliates an 80% share of their proceeds. Data extortion affiliates were offered a 60%, and initial access brokers a 50% cut.
Currently, Anubis’ extortion page on the dark web lists only eight victims, indicating that it could increase the attack volume once confidence in the technical aspect is strengthened.
On that front, a Trend Micro report published yesterday contains evidence that the operators of Anubis are actively working on adding new features, an unusual one being a file-wiping function.
The researchers found the wiper in the latest Anubis samples they dissected, and believe the feature was introduced to increase the pressure on the victim to pay quicker instead of stalling negotiations or ignoring them altogether.
“What further sets Anubis apart from other RaaS and lends an edge to its operations is its use of a file wiping feature, designed to sabotage recovery efforts even after encryption,” explains Trend Micro.
“This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack.”
The destructive behavior is activated using the command-line parameter ‘/WIPEMODE,’ which requires key-based authentication to issue.
Source: Trend Micro
When activated, the wiper erases all file contents, reducing their sizes to 0 KB while keeping the filenames and structure intact.
The victim will still see all files in the expected directories, but their contents will be irreversibly destroyed, making recovery impossible.
Source: Trend Micro
Trend Micro’s analysis reveals that Anubis supports several commands at launch, including for privilege elevation, directory exclusion, and target paths for encryption.
Important system and program directories are excluded by default to avoid rendering the system completely unusable.
The ransomware removes Volume Shadow Copies and terminates processes and services that could interfere with the encryption process.
The encryption system uses ECIES (Elliptic Curve Integrated Encryption Scheme), and the researchers noted implementation similarities to EvilByte and Prince ransomware.
The encrypted files are appended the ‘.anubis’ extension, an HTML ransom note is dropped on impacted directories, and the malware also performs an attempt (failed) to change the desktop wallpaper.
Source: Trend Micro
Trend Micro observed that Anubis attacks begin with phishing emails that carry malicious links or attachments.
The complete list of the indicators of compromise (IoCs) associated with Anubis attacks is available here.
Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore.
In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work — no complex scripts required.
Source link
-
-
-
-
-
-
-
-
