Anubis RaaS Introduces Wiper Module: Enhancing Cyber Threats in 2025
TL;DR
Anubis RaaS has introduced a wiper module that permanently deletes files, even after ransom payment. Active since December 2024, it launched an affiliate program in February 2025, targeting multiple sectors worldwide.
Introduction
Anubis RaaS, a new ransomware-as-a-service (RaaS), has introduced a wiper module that permanently deletes files, making recovery impossible even after ransom payment. This enhancement, active since December 2024, was followed by the launch of an affiliate program in February 2025. The malware has targeted organizations across various sectors, including healthcare and construction.
Anubis RaaS: A New Cyber Threat
Anubis RaaS combines file encryption with a destructive “wiper mode” that permanently erases data, preventing recovery. This dual-threat capability sets Anubis apart from other ransomware operations. The malware spreads through phishing emails, uses privilege escalation, evades detection, and encrypts data using the Elliptic Curve Integrated Encryption Scheme (ECIES).
Key Features of Anubis RaaS
- File Encryption and Wiper Mode: Anubis encrypts files with the “.anubis” extension and changes their icons. The wiper mode ensures that file contents are completely erased, making recovery impossible.
- Double Extortion: The malware uses double extortion, threatening to leak stolen data if the ransom isn’t paid.
- Affiliate Program: Anubis operates a flexible affiliate program that offers multiple monetization paths, including data theft and access resale.
Evolution and Spread
The threat emerged in late 2024, evolving from an earlier variant called Sphinx, which had nearly identical code but lacked key ransom note elements. The malware was later rebranded and officially launched as Anubis. By early 2025, it became active on cybercrime forums like RAMP and XSS, promoting its flexible affiliate program.
Technical Details
Anubis uses the ECIES library for its encryption algorithm, similar to EvilByte and Prince ransomware. It changes file icons to Anubis’s logo, attempts to set a custom desktop wallpaper, and applies double extortion. The malware supports commands for privilege escalation, directory exclusion, and encryption targeting. It avoids key system folders, deletes Volume Shadow Copies, and stops interfering processes to ensure successful encryption.
Impact and Analysis
The emergence of Anubis marks a significant evolution in the landscape of cyberthreats. Its dual-threat capabilities and flexible affiliate programs maximize its revenue potential and expand its reach within the cybercriminal ecosystem. The ability to both encrypt and permanently destroy data significantly raises the stakes for victims, amplifying the pressure to comply.
Trend Micro Report
According to a report published by Trend Micro, Anubis has all the markings of an evolving and flexible RaaS operation. The report highlights the malware’s use of a multi-layered extortion model and its brief history, indicating a high potential for further evolution.
Indicators of Compromise
Trend Micro has published a list of indicators of compromise (IoCs) associated with Anubis. These IoCs can help organizations detect and mitigate the threat of Anubis RaaS.
Conclusion
Anubis RaaS represents a new and evolving threat in the cybersecurity landscape. Its introduction of a wiper module and flexible affiliate program makes it a formidable adversary for organizations across various sectors. As the malware continues to evolve, it is crucial for organizations to stay vigilant and implement robust cybersecurity measures to protect against such threats.
Additional Resources
For further insights, check: