Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New Anubis RaaS includes a wiper module

Anubis RaaS now includes a wiper module, permanently deleting files. Active since Dec 2024, it launched an affiliate program in Feb 2025. Anubis is a new RaaS that combines file encryption capability with a rare “wipe mode,” permanently deleting files and preventing recovery even after ransom payment. Anubis operates a flexible affiliate program that has […]

Anubis RaaS

Anubis RaaS now includes a wiper module, permanently deleting files. Active since Dec 2024, it launched an affiliate program in Feb 2025.

Anubis is a new RaaS that combines file encryption capability with a rare “wipe mode,” permanently deleting files and preventing recovery even after ransom payment.

Anubis operates a flexible affiliate program that has been active since December 2024. Anubis breached organizations worldwide in multiple sectors, including healthcare and construction.

“Anubis is a recently identified group that sets itself apart by partnering encryption with more destructive capabilities—wiping directories which severely impact chances of file recovery.” reads the report published by Trend Micro. “Given its brief history and use of a multi-layered extortion model, Anubis has all the markings of an evolving and flexible RaaS operation.”

The threat emerged in late 2024, evolving from an earlier variant called Sphinx, which had nearly identical code but lacked key ransom note elements. The malware was later rebranded and officially launched as Anubis. By early 2025, it became active on cybercrime forums like RAMP and XSS, promoting a flexible affiliate program. Unlike typical RaaS, Anubis offers multiple monetization paths, including data theft and access resale.

Anubis is a sophisticated ransomware-as-a-service (RaaS) that combines file encryption with a destructive “wiper mode,” permanently erasing data to prevent recovery. It spreads via phishing emails, uses privilege escalation, evades detection, and encrypts data using Elliptic Curve Integrated Encryption Scheme (ECIES).

The used of ECIES library for the encryption algorithm used by the malware is similar to EvilByte/Prince ransomware. The malware changes file icons to Anubis’s logo, attempts to set a custom desktop wallpaper, and applies double extortion.

Anubis encrypts files with the “.anubis” extension, changes their icons, and uses double extortion, threatening to leak stolen data if the ransom isn’t paid.

Upon activating the “wipemode”, the files remain listed, but their sizes are 0 KB, indicating that their contents have been completely erased.

Anubis supports commands for privilege escalation, directory exclusion, and encryption targeting. It avoids key system folders, deletes Volume Shadow Copies, and stops interfering processes to ensure successful encryption.

“The emergence of the Anubis marks a significant evolution in the landscape of cyberthreats, particularly with its dual-threat ransomware capabilities and flexible affiliate programs.” concludes the report. “By combining RaaS with added monetization strategies, such as data ransomware and access monetization affiliate programs, Anubis is maximizing its revenue potential and expanding its reach within the cybercriminal ecosystem. Its ability to both encrypt and permanently destroying data significantly raises the stakes for victims, amplifying the pressure to comply—just as strong ransomware operations aim to do.”

Trend Micro published a list of indicators of compromise (IoCs) associated with this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Anubis RaaS)