WTF?! Being affected by a dangerous ransomware operation is bad enough, but at least you might have a chance to recover your files somehow. A recently discovered ransomware strain is making things even trickier by offering a new wiping option that allows affiliate criminals to completely destroy data after encryption.
Security researchers have discovered a new Ransomware-as-a-Service campaign with highly destructive potential. Anubis has only been around for a few months and fortunately, hasn’t claimed many victims thus far. However, the operation could soon become more widespread, and far more difficult to mitigate in terms of data recovery.
Anubis is an emerging RaaS operation designed to combine file encryption with file destruction routines. In addition to encrypting data on Windows systems, the malware features a “wipe mode” that can permanently erase files. Once activated, recovering data from these files becomes literally impossible – even for companies willing to pay the ransom.
Anubis was first identified in December 2024, when Trend Micro analyzed a work-in-progress sample known as Sphinx. According to the security firm, Anubis and Sphinx are essentially the same malware, differing mainly in the ransom note dropped on infected systems. Anubis’ extortion page on the dark web currently lists just eight victims, suggesting the developers could ramp up the business side of the operation once the technical aspects are fully developed.
Earlier this year, the Anubis gang was caught trying to recruit new affiliates through underground forums. The RaaS operation offered would-be partners an 80 percent share of the malicious proceeds, while data extortion affiliates were promised a 60 percent share. Initial access brokers were offered a 50 percent share of the revenues.
Why try to destroy files after they have already been encrypted? Security experts say the cybercriminals could exploit the wiper functionality to apply additional pressure on victims, pushing them toward a quick, early payment instead of giving them a chance to negotiate or ignore the threat altogether.
In any case, the wiping payload must be deliberately activated by the RaaS “customers.” The ransomware typically compromises a PC through phishing emails carefully crafted to mimic trusted sources. Anubis also carries additional dangerous payloads that can be used to execute command-line programs, escalate privileges, remove shadow copies from the local system volume, just to name a few.
The Anubis malware marks a significant evolution in the ransomware threat landscape, Trend Micro said. The security firm also provided a list of best practices to defend against such threats, including email and internet safety, regular data backups, user education, and more.
Image credit: Bleeping Computer
Discover more from Gautam Kalal
Subscribe to get the latest posts sent to your email.
Be First to Comment