Dark Web Profile: Anubis Ransomware

Anubis (Sphinx) ransomware is a Ransomware-as-a-Service (RaaS) group that challenges one of the core assumptions of modern ransomware response: that recovery is always possible after payment. Alongside standard file encryption, Anubis introduces an optional wipe mode that permanently destroys data, removing decryption as a guaranteed outcome.

First observed in late 2024, Anubis quickly drew attention on underground forums not because of scale, but because of intent. The operation positions encryption, data theft, access resale, and data destruction as interchangeable tools rather than sequential steps. This flexibility reshapes both the attacker’s leverage and the defender’s response priorities.

Threat actor card of Anubis Ransomware

Who is Anubis Ransomware?

Anubis is a relatively new Ransomware-as-a-Service (RaaS) operation that surfaced in late 2024 on Russian-language cybercrime forums. Early advertisements appeared on underground platforms such as RAMP and XSS under multiple aliases, while development activity traces back to an earlier build known as Sphinx. Code-level comparisons between Sphinx and later Anubis samples show near-identical functionality, indicating a direct rebrand rather than a fork or third-party reuse.

Anubis RaaS Threat Intelligence Report (Source: SOCRadar MCP)

What sets Anubis apart from most contemporary ransomware families is its dual execution model. In addition to standard file encryption, Anubis includes an optional destructive wipe mode that irreversibly overwrites file contents. When this mode is used, recovery remains impossible even if a ransom is paid. This capability fundamentally alters the extortion dynamic and signals a willingness to trade decryption leverage for permanent impact.

It is important to clarify naming overlap. Anubis ransomware is not related to the older Anubis Android banking trojan, nor to the Anubis backdoor historically associated with FIN7. Despite the shared name, this Anubis represents a distinct malware family developed independently, with no confirmed operational or code lineage connecting it to FIN7 tooling.

Operational indicators suggest Anubis operators are Russian-speaking and likely operate within or around CIS regions. Targeting patterns consistently exclude former Soviet states, a behavior common among Russian-aligned RaaS groups. Since its emergence, Anubis activity has been observed across multiple sectors, with a preference for environments holding high-value or regulated data, including healthcare, engineering, and construction organizations across North America, Europe, and parts of APAC.

RaaS Ecosystem Positioning

Anubis operates a flexible affiliate-driven RaaS model that goes beyond simple ransomware deployment. Affiliates are responsible for initial compromise, lateral movement, and execution, while Anubis operators provide the malware, leak-site infrastructure, and negotiation backend.

RAMP hacker forum post promoting Anubis Ransomware and data extortion services.

The standard revenue split heavily favors affiliates, with roughly 80% of ransom proceeds allocated to operators on the intrusion side. More notably, Anubis extends monetization beyond encryption through two parallel programs:

• Data extortion program, where affiliates supply stolen datasets and receive a share of profits generated through standalone data blackmail.
• Access broker channel, enabling the sale of compromised network access without deploying ransomware at all.

This structure allows affiliates to choose between encryption, data-only extortion, or access resale based on victim profile and operational risk. Combined with the optional wipe mode, Anubis presents affiliates with an unusually broad set of coercive options, reinforcing its focus on controlled, high-impact operations rather than indiscriminate mass infection.

How Does Anubis Ransomware Operate?

Anubis ransomware follows a manual, operator-controlled execution model rather than automated spread. Affiliates typically deploy the payload only after achieving sufficient access, privilege, and data visibility inside the target environment. This design choice aligns Anubis with high-impact, low-noise intrusions rather than mass ransomware campaigns.

Anubis Ransomware attack chain

Initial Access (T1566, T1133, T1078)

Anubis affiliates most commonly gain initial access through spear-phishing emails containing malicious documents or compressed executables. These lures impersonate trusted senders and rely on user interaction to execute the initial payload.

In parallel, affiliates actively abuse exposed Internet-facing services, particularly Remote Desktop Protocol (RDP). Compromised credentials, brute-force attempts, or previously obtained access are used to directly deploy the ransomware. In some cases, trojanized software installers and fake updates are used to establish footholds, especially in environments with weak application control.

Execution and Controlled Deployment (T1059, T1569.002)

Anubis is not designed to self-propagate. Execution is typically manual and timed, often occurring after reconnaissance and data staging are complete.

The ransomware requires explicit command-line parameters to function correctly. These parameters define encryption keys, target paths, excluded directories, privilege behavior, and optional destructive actions. This requirement strongly suggests that Anubis is intended for hands-on affiliate control, rather than autonomous execution.

Privilege Escalation (T1548.002, T1134)

Upon launch, Anubis checks whether it is running with administrative privileges. If not, it attempts to relaunch itself with elevated rights. When administrative access is available, the malware escalates further to SYSTEM-level execution using access token manipulation techniques.

The malware verifies elevated privileges by attempting low-level disk access, a common indicator of SYSTEM permissions. This escalation enables unrestricted interaction with services, backups, and security tooling.

Defense Evasion (T1562.001, T1490, T1070)

Once elevated, Anubis aggressively suppresses defensive controls. It terminates processes related to databases, backup software, endpoint protection platforms, and productivity applications to unlock files and reduce detection during encryption.

Recovery mechanisms are deliberately disabled. Volume Shadow Copies are deleted, Windows recovery options are suppressed, and system artifacts are removed to complicate forensic analysis. These actions significantly limit post-incident recovery options.

Anubis binaries are written in Go, resulting in large statically compiled payloads that hinder static analysis. Observed samples also employ in-memory decryption stages and basic anti-analysis checks to evade sandboxing and debugging.

Data Encryption (T1486)

When encryption is triggered, Anubis uses a hybrid cryptographic scheme based on ECIES. File contents are encrypted with symmetric encryption, while encryption keys are protected using elliptic curve public-key cryptography.

Encrypted files are renamed with the .anubis extension, and HTML-based ransom notes are dropped across affected directories. These notes contain victim identifiers and instructions for contacting the operators through Tor-based portals.

Wiper Mode and Destructive Capability (T1485)

A defining feature of Anubis is its optional wipe mode, activated explicitly by the operator. When enabled, files are overwritten rather than encrypted, resulting in permanent data loss.

This capability removes the possibility of recovery even if a ransom is paid. The inclusion of a wiper option positions Anubis closer to destructive malware than traditional ransomware and significantly escalates operational risk for victims.

Data Exfiltration and Extortion (T1048, T1567)

Data exfiltration typically occurs before ransomware execution and is carried out using separate tools or legitimate transfer utilities. Stolen data is later leveraged for extortion via Anubis-operated Tor leak sites.

After encrypting the victim’s files, the ANUBIS team leaves a ransom note titled RESTORE FILES.html. (Source: TrendMicro)

Anubis’s broader RaaS ecosystem supports data-only extortion and access resale, allowing affiliates to monetize intrusions even without deploying encryption. This flexibility reinforces Anubis’s focus on controlled, outcome-driven attacks rather than single-path monetization.

How to Defend Against Anubis Ransomware?

Anubis relies on controlled execution, elevated privileges, and data destruction rather than automated spread. Because of this, classic hardening remains effective, but timing and visibility are critical.

• Reduce and monitor the external attack surface: Maintain an accurate inventory of internet-facing assets, including RDP endpoints, VPN gateways, administrative panels, and legacy services. Remove unnecessary exposure, restrict access through VPN or SSO, and avoid direct internet access to management interfaces.
• Secure initial access paths: Enforce multi-factor authentication for remote access and administrative accounts. Monitor failed and successful login attempts on exposed services, especially RDP, to detect brute-force or credential-stuffing activity.
• Patch exposed systems with attacker context in mind: Prioritize patching for public-facing services and remote access infrastructure. Focus on vulnerabilities actively discussed or exploited in underground forums rather than relying on CVSS scores alone.
• Harden backup and recovery infrastructure: Use immutable or offline backups that cannot be deleted or overwritten, even with administrative privileges. Segment backup networks and restrict write access to prevent ransomware-driven backup destruction.
• Detect pre-encryption activity: Monitor for abnormal use of administrative tools, mass service termination, shadow copy deletion, and unusual outbound data transfers that may indicate data staging or exfiltration before encryption or wiping.
• Prepare for destructive scenarios: Assume that recovery may not be possible if wipe mode is triggered. Incident response plans should prioritize early containment and isolation over post-encryption remediation.

How SOCRadar Can Support Defense Efforts?

• Attack Surface Management (ASM): Identifies exposed RDP services, VPN portals, and forgotten internet-facing assets that ransomware operators often exploit for initial access.
• Vulnerability Intelligence: Correlates external exposure with exploit activity and threat actor behavior, helping teams prioritize patches for services already abused in ransomware campaigns.
• Dark Web Monitoring: Tracks ransomware leak sites, underground forums, and extortion channels for early signals of data exposure or victim listings related to Anubis operations.
• Threat Actor Intelligence: Provides visibility into Anubis-related tactics, techniques, and procedures, enabling defenders to align detection and response with current ransomware behavior.

SOCRadar Threat Actor Intelligence

By combining external exposure visibility with underground intelligence, security teams gain earlier warning signals and stronger context to disrupt Anubis attacks before encryption or destructive wiping is triggered.