Executive Summary

A new Ransomware-as-a-Service (RaaS) operation named Anubis is introducing a disturbing feature that escalates extortion tactics: a built-in data wiper. First seen in late 2024 as a prototype called "Sphinx," the Anubis group now advertises on Russian-language forums, offering a flexible attack model. Affiliates can choose between standard file encryption or executing the malware with a /WIPEMODE parameter. This mode does not encrypt files but instead permanently overwrites them with null bytes, making data recovery impossible. This changes the negotiation dynamic, as the promise of a decryption key becomes irrelevant. Instead, the attackers rely on the threat of leaking previously exfiltrated data, using the irreversible destruction as a powerful coercive tool. This hybrid encrypt/wipe/leak model provides attackers with multiple monetization paths and significantly increases pressure on victims.

Threat Overview

Anubis operates as a RaaS platform, providing malware and infrastructure to affiliates who carry out attacks. Its key differentiator is the flexibility of its impact phase.

• Standard Mode: The malware behaves like traditional ransomware, encrypting files and demanding a ransom for the decryption key.
• Wipe Mode: When executed with the /WIPEMODE command-line argument, the malware switches to a destructive function. It traverses the file system and overwrites the content of targeted files, reducing them to zero-byte files but leaving the original filenames intact. This is a purely destructive act.

This dual-mode capability suggests a strategic shift in extortion. Anubis operators can use the wipe mode in several scenarios:

• As a punitive measure if a victim is uncooperative.
• As their primary tactic if they believe the threat of leaking stolen data is sufficient leverage for payment.
• To cause maximum disruption for ideological or other non-financial motives.

The group advertises its services on forums like RAMP and XSS, using aliases such as "superSonic," and targets a wide range of industries opportunistically, including healthcare, construction, and engineering in countries like the U.S., Canada, Australia, and Peru.

It is important to note this Anubis ransomware is unrelated to the older Anubis Android banking trojan or the Anubis backdoor linked to the FIN7 group.

Technical Analysis

• Execution Parameter: The switch between encryption and wiping is controlled by the simple /WIPEMODE parameter. This makes it easy for even less sophisticated affiliates to deploy the destructive payload.
• Wiping Technique: The wiper function overwrites file contents with null bytes. This is a fast and effective method of data destruction that is generally irreversible through software means. This technique falls under T1485 - Data Destruction.
• Extortion Model: The Anubis playbook is not linear. It treats encryption (T1486 - Data Encrypted for Impact), data theft, and data destruction as interchangeable tools to be deployed based on the situation, maximizing psychological pressure and potential payout.

Impact Assessment

The inclusion of a wiper function dramatically increases the potential impact of an Anubis attack.

• Permanent Data Loss: If the wipe mode is used, there is no possibility of recovering data, even if the ransom is paid. This makes tested, offline backups the only viable recovery path.
• Increased Pressure: The threat of permanent data destruction, combined with the threat of leaking stolen data, places victims under extreme pressure during negotiations.
• Business Continuity Failure: An attack involving the wiper can be an extinction-level event for organizations without a robust and tested disaster recovery plan.
• Incident Response Complication: Responders must quickly determine if the attack was an encryption or wipe event, as this fundamentally changes the response strategy from recovery negotiation to full disaster recovery.

Detection & Response

1. Behavioral Monitoring: EDR and security monitoring tools should be configured to detect mass file modification activity. A high rate of files being overwritten to zero bytes is a strong indicator of a wiper attack. This aligns with D3FEND's File Analysis (D3-FA).
2. Command Line Logging: Enable and monitor command line process creation (e.g., Windows Event ID 4688) to detect the execution of suspicious binaries with parameters like /WIPEMODE.
3. Honeypots and Canaries: Place file canaries (honeypot files) on file shares. An alert on the modification or deletion of these files can provide an early warning of ransomware or wiper activity.
4. Isolate and Analyze: If a wiper attack is suspected, immediately isolate the affected systems to prevent further spread. Secure a sample of the malware for analysis to confirm its behavior.

Mitigation Recommendations

Given the destructive nature of Anubis, preventative and recovery-focused mitigations are paramount.

1. Immutable Backups (M1053 - Data Backup): This is the most critical defense against wipers. Maintain multiple, tested backups, with at least one copy being offline (air-gapped) or immutable (unable to be altered or deleted). Regularly test the restoration process.
2. Network Segmentation (M1030 - Network Segmentation): Segment the network to contain the spread of a ransomware/wiper infection. Prevent lateral movement from workstations to critical servers.
3. Application Control (M1038 - Execution Prevention): Use application allow-listing to prevent unauthorized executables from running on endpoints and servers.
4. Privileged Access Management (M1026 - Privileged Account Management): Strictly control and monitor the use of privileged accounts, as these are required to deploy ransomware across a network.