The Anubis hacking group, behind one of the newer ransomware-as-a-service (RaaS) services, has implemented a module in its malware that not only encrypts files but also completely destroys their contents, making data recovery impossible even after paying the ransom.
The Anubis hacking group, behind one of the newer ransomware-as-a-service (RaaS) services, has implemented a module in its malware that not only encrypts files but also completely destroys their contents, making data recovery impossible even after paying the ransom.
As reported by Bleeping Computer, researchers at Trend Micro have discovered a new feature in new versions of the Anubis malware. A special tool has appeared that erases the contents of files, leaving only their names and directory structure. As a result, the user sees «empty» documents, 0 KB in size, which cannot be restored.
This destructive feature is activated using the /WIPEMODE command line parameter, which requires key authentication. According to analysts, the new approach is designed to increase pressure on victims, forcing them to pay faster and not delay negotiations.
Anubis began to gain activity in early 2025, although the first mentions of it appeared in December 2024. In late February, the hackers announced the launch of an affiliate program on the RAMP forum, offering affiliates up to 80% of the revenue from attacks. However, currently, the Anubis page on the darknet lists only 8 recorded victims.
The malware uses ECIES encryption, deletes shadow volume copies, terminates critical processes, but bypasses important system directories to preserve the functionality of the infected device. After encryption, the files are appended with the .anubis extension, and an HTML file with ransom instructions appears in the affected folders. In some cases, the program tries to change the desktop wallpaper, but without success.
Anubis distribution typically begins with malicious emails, either with links or infected file attachments, a common attack vector targeting both companies and individuals.
Anubis should not be confused with the Android virus of the same name. This is a separate RaaS operation. Experts warn that the new tactics could mean Anubis is moving to a higher level of destructiveness, and the number of attacks could increase over time.
We previously wrote about how cybercriminals are massively abusing the custom link mechanism in Discord, redirecting users to fake servers with info stealers that steal data to access crypto wallets and browsers.
