The Anubis ransomware-As-A-Service (RAAS) operation has added to its file-encryptimg malware a wiper module that destroys targeted files, making recovery impossible even if the ransom is paid.

Anubis (not to be confused with the same-name Android malware with a ransomware module) is a relatively new RAAS first observed in December 2024 but became more active at the begining of the year.

on February 23, the operators announced an affiliate program on the RAMP forum.

A Report From Kala at the time explained that Anubis offered ransomware affiliates an 80% share of their proceeds. Data extortion affiliates were offered a 60%, and initial access brokers a 50% cut.

Currently, Anubis’ extortion page on the dark web lists only eight victims, indicating that it could increase the attack volume once confidence in the technical aspect is strengthened.

On that front, a Trend Micro report published yesterday contains evidence that the operators of Anubis are actively working on adding new features, an unusual one being a file-wiping function.

the researchers found the wiper in the latest Anubis samples they dissected, and believe the feature was introduced to increase the pressure on the victim to pay quicker rather of stalling negotiations or ignoring them altogether.

“What further sets Anubis apart from other RAAS and lends an edge to its operations is its use of a file wiping feature, designed to sabotage recovery efforts even after encryption,” explains Trend Micro.

“This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack.”

The destructive behavior is activated using the command-line parameter ‘/WIPEMODE,’ which requires key-based authentication to issue.

When activated, the wiper erases all file contents, reducing their sizes to 0 KB while keeping the filenames and structure intact.

The victim will still see all files in the expected directories, but their contents will be irreversibly destroyed, making recovery impossible.

Trend Micro’s analysis reveals that Anubis supports several commands at launch,including for privilege elevation,directory exclusion,and target paths for encryption.

Important system and program directories are excluded by default to avoid rendering the system wholly unusable.

The ransomware removes Volume Shadow Copies and terminates processes and services that could interfere with the encryption process.

The encryption system uses ECIES (Elliptic Curve Integrated Encryption scheme), and the researchers noted implementation similarities to EvilByte and Prince ransomware.

The encrypted files are appended the ‘.anubis’ extension, an HTML ransom note is dropped on impacted directories, and the malware also performs an attempt (failed) to change the desktop wallpaper.

Trend Micro observed that Anubis attacks begin with phishing emails that carry malicious links or attachments.

The complete list of the indicators of compromise (IOCS) associated with Anubis attacks is available here.

“This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack.”

What Is Ransomware-As-A-Service?

Ransomware-As-A-Service (RAAS) is a business model where ransomware developers lease their ransomware tools to affiliates who then conduct attacks. This allows individuals with limited technical skills to launch ransomware attacks, increasing the overall volume and sophistication of these threats.

Anubis’ New File-Wiping Module

The Anubis ransomware has recently added a file-wiping module that can destroy targeted files, making recovery impossible even if the ransom is paid. This new feature increases the pressure on victims to pay the ransom quickly and raises the stakes of an already damaging attack.