Anubis RaaS now includes a wiper module, permanently deleting files. Active since Dec 2024, it launched an affiliate program in Feb 2025.
Anubis is a new RaaS that combines file encryption capability with a rare “wipe mode,” permanently deleting files and preventing recovery even after ransom payment.
Anubis operates a flexible affiliate program that has been active since December 2024. Anubis breached organizations worldwide in multiple sectors, including healthcare and construction.
“Anubis is a recently identified group that sets itself apart by partnering encryption with more destructive capabilities—wiping directories which severely impact chances of file recovery.” reads the report published by Trend Micro. “Given its brief history and use of a multi-layered extortion model, Anubis has all the markings of an evolving and flexible RaaS operation.”
The threat emerged in late 2024, evolving from an earlier variant called Sphinx, which had nearly identical code but lacked key ransom note elements. The malware was later rebranded and officially launched as Anubis. By early 2025, it became active on cybercrime forums like RAMP and XSS, promoting a flexible affiliate program. Unlike typical RaaS, Anubis offers multiple monetization paths, including data theft and access resale.
Anubis is a sophisticated ransomware-as-a-service (RaaS) that combines file encryption with a destructive “wiper mode,” permanently erasing data to prevent recovery. It spreads via phishing emails, uses privilege escalation, evades detection, and encrypts data using Elliptic Curve Integrated Encryption Scheme (ECIES).
The used of ECIES library for the encryption algorithm used by the malware is similar to EvilByte/Prince ransomware. The malware changes file icons to Anubis’s logo, attempts to set a custom desktop wallpaper, and applies double extortion.
Anubis encrypts files with the “.anubis” extension, changes their icons, and uses double extortion, threatening to leak stolen data if the ransom isn’t paid.
Upon activating the “wipemode”, the files remain listed, but their sizes are 0 KB, indicating that their contents have been completely erased.
Anubis supports commands for privilege escalation, directory exclusion, and encryption targeting. It avoids key system folders, deletes Volume Shadow Copies, and stops interfering processes to ensure successful encryption.
“The emergence of the Anubis marks a significant evolution in the landscape of cyberthreats, particularly with its dual-threat ransomware capabilities and flexible affiliate programs.” concludes the report. “By combining RaaS with added monetization strategies, such as data ransomware and access monetization affiliate programs, Anubis is maximizing its revenue potential and expanding its reach within the cybercriminal ecosystem. Its ability to both encrypt and permanently destroying data significantly raises the stakes for victims, amplifying the pressure to comply—just as strong ransomware operations aim to do.”
Trend Micro published a list of indicators of compromise (IoCs) associated with this threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Anubis RaaS)