Anubis, a recently emerged ransomware-as-a-service (RaaS) group, is making headlines for its ability to both encrypt and permanently wipe victim files. The ransomware began active operations in December 2024 and has targeted healthcare, construction, and engineering organizations in the U.S., Australia, Canada, and Peru.
Anubis affiliates often gain access through spear phishing emails. Once inside the network, the ransomware deletes shadow copies to block file restoration and encrypts files using Elliptic Curve Integrated Encryption Scheme (ECIES). Further, it also offers a “wipe mode” (/WIPEMODE parameter), which erases file contents and makes recovery impossible, even if a ransom is paid.
The group’s wipe mode is an unusual development in the world of ransomware. With this functionality, Anubis can leave file names and extensions intact while reducing file sizes to zero, making conventional recovery and decryption efforts futile. Since its public launch, Anubis has listed at least seven victims from healthcare, engineering, and construction sectors on its leak site, and is known to threaten the release of stolen data if ransoms are not paid.
Anubis operates as a criminal affiliate model, advertised on cybercrime forums such as RAMP and XSS. Affiliates are offered customizable revenue-sharing agreements for ransom payments, data sales, or selling network access. Anubis can be configured flexibly for encryption-only, data exfiltration, or full wipe attacks.
The addition of a wiper function to ransomware is rare and makes attacks far riskier for organizations. It removes incentives for paying the ransom in hopes of data recovery, and increases the pressure for organizations to pay to prevent public data leaks.
The emergence of ransomware with dual encryption and wiper functionality increases the need for rapid incident detection, offline and fixed backups, and regular employee security awareness training. Organizations must review their incident response plans for destructive attacks and maintain data backups that are completely isolated from production systems.
Ransomware is malicious software that encrypts files on a victim’s system. Attackers then demand a ransom, usually in cryptocurrency, for the decryption key. Ransomware groups also steal data and threaten to release it if not paid.
A ransomware wiper is a module added to ransomware that erases file contents, leaving the files unrecoverable, even with a decryption key or backup restoration attempt.
Anubis attacks start with spear-phishing emails, which lure recipients into opening malicious links or attachments.