Anubis Ransomware: New RaaS Combines Encryption with Permanent Data Wiping

A new Ransomware-as-a-Service (RaaS) threat has emerged in 2025 — and it’s not just encrypting your data. It’s erasing it. Dubbed Anubis, this ransomware combines traditional file encryption with a sinister purpose: a wipe mode that permanently destroys files, leaving victims with no hope of recovery even if the ransom is paid.

“Anubis is an emerging Ransomware-as-a-Service (RaaS) operation that combines file encryption with file destruction — a rare dual-threat capability,” Trend Micro warned in its recent threat intelligence report.

Anubis first appeared in December 2024, coinciding with a stealthy appearance on X (formerly Twitter) and underground forums such as RAMP and XSS. What began as a prototype dubbed Sphinx has evolved into a full-fledged ransomware campaign complete with branding, a leak site, and a flexible affiliate model.

“The ransomware features a ‘wipe mode,’ which permanently erases files, rendering recovery impossible even if the ransom is paid,” the report states.

Anubis’s architecture is designed for destruction. It gives affiliates granular control over attacks, supporting command-line parameters like:

• /KEY= for encryption key
• /elevated for privilege escalation
• /WIPEMODE to activate destructive wiping
• /PATH= and /PFAD= for precise file targeting or exclusions

Once inside a system, Anubis attempts to elevate privileges and checks for administrative access by probing the physical drive:

“The program performs a check to determine if the current user has administrative privileges by attempting to access the system’s primary physical drive,” Trend Micro explains.

If privileges are granted, the malware proceeds to encrypt data using Elliptic Curve Integrated Encryption Scheme (ECIES) — an algorithm also seen in EvilByte and Prince ransomware variants. Encrypted files are tagged with a .anubis extension, and system icons are replaced with the attacker’s logo. It even attempts to change the user’s desktop wallpaper using a file named wall.jpg — a rare flair of ransomware branding.

“It modifies the icons of encrypted files to instead use its logo,” the report notes.

Anubis’s most dangerous feature is its file wiper. When /WIPEMODE is triggered, the ransomware doesn’t just encrypt files — it reduces them to 0 KB, erasing their content irreversibly.

“The files remain listed, but their sizes are now 0 KB, indicating that their contents have been completely erased,” Trend Micro warns.

This adds intense pressure on victims, especially as Anubis also engages in double extortion, threatening to leak stolen data if demands aren’t met.

The attack chain follows a multi-stage progression:

• Initial Access (T1566): Spear-phishing emails with malicious attachments or links
• Execution (T1059): Scripts triggered via command-line with malicious parameters
• Privilege Escalation (T1134.002): Attempts system-level elevation using access tokens
• Defense Evasion (T1078): Exploits valid accounts and re-launches with elevated privileges
• Discovery (T1083): Scans for target directories while avoiding Windows system folders
• Impact: Encrypts data (T1486), deletes shadow copies (T1490), kills services (T1489), and if enabled, wipes data irrecoverably (T1485)

Anubis isn’t just malware — it’s a business. With active profiles on underground forums under aliases like supersonic and Anubis__media, the group offers:

• Negotiable affiliate revenue splits
• Access monetization programs
• Data extortion models
• Custom ransom configurations

“All their proposed revenue-share structures are open to negotiation for long-term cooperation,” the analysis confirms.

The group has already listed victims across Australia, Canada, Peru, and the U.S., affecting sectors such as healthcare, construction, and engineering — a clear sign of opportunistic targeting.

Related Posts:

• A new bank Trojan, BankBot Anubis was found PhishLabs
• Destructive npm Packages Deleting Files, Hijacking Frameworks for 2+ Years
• North Korean Hackers Exploit VPN Vulnerabilities to Breach Networks