220/68 Wednesday, June 18, 2025
Trend Micro has released a report on a newly discovered ransomware strain named “Anubis”, which poses a serious threat due to its unique dual-functionality: it not only encrypts files but also features a “wipe mode” that permanently erases file contents. This destructive behavior makes data recovery impossible, even if the victim pays the ransom, placing Anubis among the rare category of two-stage ransomware threats.
The group behind Anubis has been operating a Ransomware-as-a-Service (RaaS) model since December 2024, targeting organizations in various industries including healthcare, tourism, and construction across Australia, Canada, Peru, and the United States. Early versions of the ransomware were labeled “Sphinx”, but later evolved under the Anubis branding.
Trend Micro clarified that this ransomware has no connection to the Android banking trojan or the backdoor malware developed by the FIN7 group (also known as GrayAlpha) — both of which previously used the name Anubis. The current Anubis operation allows public affiliate participation, offering up to 80% revenue share from ransom payments. It also supports data extortion and access monetization, selling entry into compromised enterprise networks.
Anubis typically spreads via phishing emails, escalates privileges, deletes Volume Shadow Copies, and then proceeds to encrypt files. One of its most dangerous features is the /WIPEMODE, which zeroes out file content while keeping the filename intact. This gives users the false impression that their files are still recoverable, increasing pressure to pay the ransom.
Researchers also noted FIN7-related activity involving the use of fake infrastructure, such as fake browser update pages and fake 7-Zip download sites, to distribute NetSupport RAT via loaders named MaskBat and PowerNet. These techniques were observed as recently as April 2025, raising concerns about overlapping infrastructure or tactics between groups.
Source https://thehackernews.com/2025/06/anubis-ransomware-encrypts-and-wipes.html
