Stealer malware is thriving—especially Lumma and Risepro. These logs fuel ransomware, MFA bypass, and persistent access. It's $10 to compromise an account. Explore this and other insights the data reveals.
Anubis and the Death of Data: A New Era of Ransomware Operations
Share:
Audio Recap
Ransomware trends and the emergence of Anubis
Ransomware activity continues to increase, and Bitsight data illustrates the scale of this growth. In our State of the Underground 2025 report, Bitsight TRACE observed a nearly 25% rise in unique ransomware victims publicly listed on leak sites. Additionally, the number of leak sites operated by ransomware groups grew by 53%. These trends reinforce ransomware’s ongoing role as a primary method for financially motivated threat actors to extract payments from targeted organizations, due in part to its speed, reach, and impact.
Anubis overview
Anubis is a relatively recent addition to the ransomware ecosystem, first identified in November 2024. While they have not been attributed to any region, security researchers have observed the group speaking in Russian on dark web forums. Despite its short time in operation, the group has established a notable presence, particularly through its attacks on critical infrastructure. This focus on high-value targets has contributed to its visibility within both cybercriminal networks and the broader cybersecurity community.
The group has also implemented a distinctive affiliate payment structure. Anubis offers multiple monetization models to accommodate varying levels of affiliate involvement. In the standard Ransomware-as-a-Service (RaaS) model, affiliates retain 80% of the ransom, with the remaining 20% allocated to Anubis for providing tooling and infrastructure. For operations that include data theft before extortion, Anubis supports the pressure campaign and collects 40% of the proceeds. In cases where the group provides direct assistance during the post-compromise extortion process, such as managing negotiations, revenue is split evenly between Anubis and the affiliate.
More recently, Anubis has drawn attention for incorporating a destructive capability into its operations. In certain incidents, victims reported permanent data deletion even after ransom payments were made. This behavior may be intended to increase pressure on victims or deter delays in payment.
The combination of varied monetization options, technical capability, and target selection indicates that Anubis represents a significant and evolving threat within the ransomware landscape.
Technical capabilities
Anubis ransomware leverages a range of techniques consistent with financially motivated intrusion activity.
- Initial Access: Anubis typically gains initial access through spear-phishing emails containing malicious links or attachments. These emails are crafted to appear as if they come from trusted sources. Monitoring email gateways for suspicious attachments and links is crucial.
- Execution: Anubis uses command and scripting interpreters with configurable parameters. Threat hunters should look for unusual command-line activity, especially commands that include parameters like /KEY=, /elevated, /PATH=, /PFAD=, and /WIPEMODE.
- Defense Evasion: Anubis employs valid accounts for defense evasion. Monitoring for unusual account activity, especially accounts accessing sensitive directories, is essential.
- Destructive Actions: The ransomware's wipe mode functionality is a key indicator. Look for signs of file destruction, such as files being reduced to 0 KB.
- Encryption and Exclusion: Anubis avoids encrypting core system directories to prevent system failures. Monitoring for encryption activity that excludes directories like windows, system32, and program files can be indicative of Anubis activity.
Platform-specific functionality
Android Platform
On Android devices, Anubis functions primarily as a banking trojan. Its tactics include:
- Phishing Overlays: Displays counterfeit login interfaces over legitimate apps to collect user credentials.
- Screen Recording and Keylogging: Records on-screen activity and captures keystrokes to extract sensitive data.
- Mass SMS Propagation: Sends text messages to the victim’s contacts to facilitate further distribution of the malware.
- Device Locking and Ransom Notes: Restricts device access and displays ransom demands.
- Data Exfiltration: Locates and transmits files of interest to attacker-controlled infrastructure.
Windows Platform
On Windows systems, Anubis operates as a Ransomware-as-a-Service offering with the following capabilities:
- File Encryption and Wiping: Encrypts files using the Elliptic Curve Integrated Encryption Scheme (ECIES), and optionally deletes them to prevent recovery.
- Privilege Escalation: Gains elevated system privileges through access token manipulation.
- Shadow Copy Deletion: Removes Volume Shadow Copies to eliminate recovery options.
- Service Disruption: Terminates selected system services to aid the encryption process and reduce recovery potential.
Initial access and propagation
Anubis attacks typically begin with phishing emails containing malicious links or attachments. Upon execution, the malware attempts to escalate privileges and move laterally within the network. Encryption and, in some cases, file wiping are then used to apply pressure on the victim to pay the ransom.
Target profile
Anubis has been observed targeting organizations across several sectors, with a particular focus on Healthcare, Construction, and Professional Services. Geographic activity includes confirmed cases in the United States, France, Australia, and Peru.
Significant attacks
On November 13, 2024, a healthcare provider in Victoria, Australia, detected suspicious activity on its systems, indicating a potential cyber incident. The organization promptly initiated an investigation.
Subsequent findings revealed that patient data may have been accessed and exfiltrated by an unauthorized third party. The compromised information potentially included:
- Contact Information: Names, addresses, email addresses, and phone numbers.
- Health Information: Details of diagnoses, treatments, or recovery related to medical conditions or disabilities.
- Medicare or Pensioner Card Details: Information pertaining to patients' Medicare or pensioner cards.
The company took immediate steps to contain the incident, enhance system security, and notify relevant Australian regulatory bodies, including the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC).
While public statements did not specify the involvement of ransomware, security researchers attributed the attack to the Anubis ransomware group.
Anubis publicly claimed responsibility for the attack, listing the medical centre as its first known victim on its dark web leak site. The group allegedly obtained and later leaked sensitive data, including medical records and identification documents.
The incident marked the emergence of Anubis as a significant threat actor in the cybersecurity landscape. The group's focus on healthcare institutions underscores the vulnerability of the sector to cyberattacks, given the sensitive nature of patient data and the critical services provided.
In December 2024, a similar attack was launched on a healthcare organization in Canada, with Anubis publishing the extorted data from on the Data Leak Site (DLS).
Mitigation and prevention
So how do you protect yourself from threat actors like Anubis? We recommend:
- Immediate containment: Isolate any systems confirmed or suspected to be compromised to prevent lateral movement and limit the spread of malware or unauthorized access.
- IOC monitoring: Leverage threat intelligence to continuously monitor for known Indicators of Compromise (IOCs). This includes inspecting network traffic, system logs, and endpoint telemetry to detect ongoing or residual malicious activity.
- Incident response activation: Launch a comprehensive incident response process. Assess the scope of the intrusion, identify affected assets, contain the threat, and initiate forensic investigation and remediation steps.
- User education: Conduct targeted training sessions to reinforce awareness of phishing and social engineering techniques. Emphasize the role of users in identifying and reporting suspicious activity promptly.
- Security enhancements: Strengthen defenses by deploying or expanding multi-factor authentication (MFA), hardening identity and access controls, and ensuring robust endpoint detection and response (EDR) solutions are in place across the organization.
- Zero-trust architecture to limit access and reduce the attack surface
- Implement physical security keys to help prevent phishing
MITRE Table
Technique |
Description |
MITRE ID |
| Initial Access via Phishing | Delivers malicious payload via email. | T1566 – Phishing |
| File Encryption (ECIES) | Encrypts files using strong cryptographic schemes. | T1486 – Data Encrypted for Impact |
| Wiper Mode | Permanently deletes files to increase damage. | T1485 – Data Destruction |
| Privilege Escalation | Manipulates access tokens to gain elevated privileges. | T1134.002 – Access Token Manipulation: Create Process with Token |
| Shadow Copy Deletion | Removes recovery options to prevent restoration. | T1490 – Inhibit System Recovery |
| Service Termination | Disables key services to facilitate encryption. | T1489 – Service Stop |
| Lateral Movement (inferred from spreading behavior) | DPropagates within the network post-compromise. | T1021 – Remote Services |
| Phishing Overlays | Displays fake login forms to capture credentials from financial apps. | T1444 – Masquerading |
| Screen Recording & Keylogging | Captures user inputs and screen activity. | T1417 – Input Capture, T1517 – Screen Capture |
| Mass SMS Propagation | Sends SMS to spread malware. | T1402 – Broadcast Intent Abuse, T1466 – Remotely Triggerable Execution |
| Device Locking & Ransom Notes | Locks device and demands ransom. | T1490 – Inhibit System Recovery (mapped from enterprise due to functional similarity) |
| Data Exfiltration | Transfers files to external servers. | T1537 – Transfer Data to Cloud Account, T1020 – Automated Exfiltration |
