The Anubis ransomware group, launched in December 2024, is an emerging Ransomware-as-a-Service (RaaS) operation that recently introduced a destructive element to the ransomware landscape. Unlike conventional ransomware strains, the Anubis ransomware group combines traditional file encryption with a rare dual-threat capability by including a new file destruction mechanism known as wipe mode. This feature is activated via a command-line parameter (/WIPEMODE) and requires key-based authentication. Once triggered, it permanently erases file contents while preserving filenames and directory structures, making recovery impossible even if the ransom is paid.
The Anubis ransomware group has rapidly expanded its operations, targeting organizations across diverse sectors, including healthcare, engineering, and construction. Its attacks have spanned Australia, Canada, Peru, and the United States. This broad range of targets indicates an opportunistic strategy across various industries and geographic locations.
What’s Notable and Unique
- Anubis typically establishes initial access through spear-phishing emails containing malicious attachments or links. These emails are carefully crafted to mimic legitimate communications from trusted sources, tricking recipients into opening the attachments or clicking on embedded links to initiate the infection process.
- The group leverages the Elliptic Curve Integrated Encryption Scheme (ECIES) as its encryption mechanism, utilizing a publicly available Go-based implementation from GitHub. Analysis indicates that the ECIES library used is similar to the one employed by EvilByte/Prince ransomware.
- The Anubis ransom note employs a double extortion strategy, threatening to publicly release stolen data if demands are not met. Additionally, the ransomware includes a wiper feature activated via the /WIPEMODE parameter, which permanently deletes file contents by reducing them to 0 KB, making recovery impossible.
Analyst Comments:
Anubis ransomware group combines a RaaS structure with a flexible affiliate program that offers negotiable revenue shares and enables multiple monetization avenues, including data extortion and access brokering. This multi-faceted approach maximizes revenue and broadens influence within the cybercriminal ecosystem. The dual capability to both encrypt and irreversibly destroy data significantly increases pressure on victims, elevating the risk and potential damage of an attack.
The use of tactics such as spear-phishing for initial access, command-line execution with privilege escalation, deletion of Volume Shadow Copies, and file wiping highlights the need for comprehensive security controls. Organizations must implement layered defenses to address these attack vectors, alongside maintaining robust offline and offsite backups to counteract Anubis’s destructive capabilities.
Sources
Arete Internal Data
Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper
Anubis ransomware adds wiper to destroy files beyond recovery
Related Resources
![]()
Ransomware Trends & Data Insights: May 2025
Interlock ransomware group activity spiked in May 2024, using RATs, RDP, and data leak tactics to target sectors like healthcare, tech, and manufacturing.
Read more![]()
TikTok Videos Lead to Infostealing Malware
Cybercriminals are leveraging TikTok videos infostealers with AI-generated content to spread malware. These campaigns steal credentials via pirated app lures, signaling a growing cyber threat across social platforms.
Read more![]()
Coinbase Data Breach Leads to Social Engineering Attacks
The 2025 Coinbase data breach compromised 70,000 user accounts, exposed sensitive data, and triggered a $20M ransom demand alongside widespread phishing threats.
Read more
