The Anubis ransomware-as-a-service (RaaS) operation has added to its file-encryptimg malware a wiper module that destroys targeted files, making recovery impossible even if the ransom is paid.
Anubis (not to be confused with the same-name Android malware with a ransomware module) is a relatively new RaaS first observed in December 2024 but became more active at the beginning of the year.
On February 23, the operators announced an affiliate program on the RAMP forum.
A report from KELA at the time explained that Anubis offered ransomware affiliates an 80% share of their proceeds. Data extortion affiliates were offered a 60%, and initial access brokers a 50% cut.
Currently, Anubis’ extortion page on the dark web lists only eight victims, indicating that it could increase the attack volume once confidence in the technical aspect is strengthened.
On that front, a Trend Micro report published yesterday contains evidence that the operators of Anubis are actively working on adding new features, an unusual one being a file-wiping function.
The researchers found the wiper in the latest Anubis samples they dissected, and believe the feature was introduced to increase the pressure on the victim to pay quicker instead of stalling negotiations or ignoring them altogether.
“What further sets Anubis apart from other RaaS and lends an edge to its operations is its use of a file wiping feature, designed to sabotage recovery efforts even after encryption,” explains Trend Micro.
“This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack.”
The destructive behavior is activated using the command-line parameter ‘/WIPEMODE,’ which requires key-based authentication to issue.
... continue reading