The Anubis ransomware-as-a-service (RaaS) operation has added a destructive twist to its attack strategy.
This new file-wiping module permanently erases files, making recovery impossible even if the ransom is paid.
First observed in December 2024, Anubis became more active in early 2025 and launched an affiliate program on the RAMP forum on February 23. The group offers affiliates up to 80% of ransomware profits, and 60% for data extortion, with initial access brokers earning 50%.
According to a recent Trend Micro report, the newly discovered “/WIPEMODE” feature in Anubis ransomware samples can completely wipe files while preserving their directory structure and filenames. This trick creates the illusion that files are intact, but in reality, their content is reduced to 0 KB, making them irretrievable.
“What sets Anubis apart from other RaaS is its use of a file-wiping feature, designed to sabotage recovery efforts even after encryption,” says Trend Micro.
The ransomware also:
- Removes Volume Shadow Copies
- Terminates security-related services
- Uses ECIES encryption, similar to EvilByte and Prince ransomware
- Drops an HTML ransom note and appends encrypted files with the .anubis extension
Anubis infections typically begin through phishing emails that contain malicious links or attachments. Although its dark web extortion site currently lists only eight victims, experts warn that the group could scale up operations as their malware matures.
Security professionals are advised to monitor for Indicators of Compromise (IoCs) and implement strong email security and backup strategies to mitigate potential attacks.
