Anubis is a Ransomware-as-a-Service (RaaS) operation active since December 2024, originally developed under the codename Sphinx. It combines file encryption and data exfiltration with a destructive wipe mode that permanently overwrites file contents, preventing recovery even when a decryption key is available. This combination fundamentally alters the extortion dynamic while shifting response priorities toward early containment.
Operational profile
Anubis first surfaced on Russian-language cybercrime forums in late 2024. Early development samples circulated under the name Sphinx, with ransom notes that lacked both a Tor site and unique victim identifiers, indicators of either active development or operator inexperience. By February 2025, a threat actor began promoting the rebranded Anubis operation on the RAMP forum under the alias “superSonic,” while a second persona, “Anubis__media,” established presence on the XSS forum. An X (formerly Twitter) account was created around the same time to amplify victim postings.
The group operates a Tor-hosted leak site. After compromising an organization, Anubis prepares a detailed write-up, styled as an investigative article, based on the exfiltrated data. The article is initially published in hidden mode on the blog, accessible only via a direct link shared with the victim during negotiations. If payment is not received, the article is made public and promoted through the group’s X account. The group also positions representatives as media contacts, reaching out to journalists and offering exclusive access to stolen datasets as a pressure tactic.
Forum activity, communications, and observed operational patterns are consistent with a Russian-speaking threat actor operating within CIS-aligned time zones; however, this remains an analytical assessment rather than definitive attribution.
Targeting and victimology
As of early 2026, Anubis has claimed nearly 60 victims since its first public activity in late December 2024, based on publicly available ransomware tracking data. The group combines opportunistic access with deliberate sector focus.
The majority of victims are based in the United States, followed by Australia, Canada, and a smaller number of victims across Western Europe, Latin America, and Asia-Pacific. This reflects the group’s publicly stated targeting criteria: Anubis has explicitly identified the U.S., Europe, Canada, and Australia as priority regions.
In terms of industry focus, healthcare and manufacturing appear most frequently among listed victims, followed by business services, hospitality, and construction.
The group has publicly stated that it excludes educational institutions, government entities, and non-profit organizations from targeting. Consistent with many Russian-speaking ransomware operations, organizations in post-Soviet states (CIS countries) are excluded from targeting. Target organizations tend to be small and mid-sized enterprises, though several larger entities have also appeared on the leak site.
Extortion model
Anubis operates three distinct affiliate programs, each with a different revenue structure and operational role.
Affiliate programs
| Program | Revenue Split | Description |
|---|---|---|
| Ransomware-as-a-Service | 80% affiliate / 20% operator | Affiliates deploy Anubis ransomware using the group's infrastructure and tooling |
| Data Extortion | 60% affiliate / 40% operator | Affiliates provide stolen data (must be exclusive and less than six months old); Anubis manages the extortion campaign |
| Access Monetization | 50% affiliate / 50% operator | Initial access brokers provide corporate credentials; Anubis handles victim profiling and ransom extraction |
All revenue splits are described as negotiable for long-term cooperation. This flexibility is designed to attract affiliates with varying specializations: from hands-on intrusion operators to data brokers who lack the infrastructure to monetize stolen information independently.
The double extortion workflow follows a predictable pattern: data is exfiltrated before encryption, and the victim is threatened with public release if payment is not made. However, Anubis applies additional pressure through several less common tactics. The group threatens to notify regulatory bodies, including the UK Information Commissioner’s Office (ICO), the U.S. Department of Health and Human Services (HHS), the European Data Protection Board (EDPB), Canada’s Office of the Privacy Commissioner (OPC), and the Australian Office of the Information Commissioner (OAIC), about the compromise. It also threatens to contact the victim’s customers directly and publishes investigative-style articles that expose internal documents and operational details.
Malware and technical overview
Anubis binaries are written in Go (Golang), producing large, statically compiled executables that complicate static analysis. The confirmed Windows variant is a 64-bit EXE file approximately 5.42 MB in size. The group has advertised support for Windows, Linux, NAS, and ESXi environments across x64 and x32 architectures, though confirmed attacks have involved only Windows systems.
Command-line parameters
The ransomware accepts several parameters that control its execution behavior:
- /KEY: initiates the encryption process using an authentication key
- /elevated: forces re-execution with administrative privileges
- /WIPEMODE: activates file destruction instead of encryption
- /PATH: specifies a target directory for encryption
- /PFAD: specifies directories to exclude from encryption
Privilege escalation
Before proceeding, the malware checks for administrative access by attempting to open a handle to \\.\PHYSICALDRIVE0, a raw disk path that requires elevated privileges. This method avoids standard API calls and user-facing User Account Control (UAC) prompts, making it less noisy from a privilege-checking perspective. If administrative access is confirmed, the ransomware attempts to escalate further to SYSTEM-level privileges through access token manipulation.
Interactive prompts observed in analyzed samples, such as messages that confirm privilege levels or ask the operator whether to continue without admin rights, indicate that the malware is still under active development.
Encryption
Anubis uses the Elliptic Curve Integrated Encryption Scheme (ECIES), a hybrid ransomware encryption scheme that combines elliptic-curve public-key cryptography with symmetric encryption. The implementation relies on a publicly available Go-based ECIES library. This encryption method is computationally efficient and considered highly resistant to decryption without the corresponding private key.
Wipe mode
When executed with the /WIPEMODE parameter, the ransomware overwrites file contents rather than encrypting them. Affected files are reduced to 0 KB while their names, extensions, and directory structure remain intact. This renders the data permanently unrecoverable: no decryption tool or key can restore files that have been wiped.
Attack flow
Phase 1: Initial access
Initial access methods include spear-phishing emails with malicious attachments or links. Additional access vectors include exploiting vulnerabilities in internet-facing services, particularly Remote Desktop Protocol (RDP), deploying via pre-existing malware loaders already present in the environment, and distributing via trojanized software installers or fake updates.
Phase 2: Privilege escalation and discovery
Once inside, the malware escalates privileges via token manipulation and then performs filesystem reconnaissance, scanning for documents, images, database files, and compressed archives. To maintain system stability and avoid drawing immediate attention, Anubis excludes critical system directories (Windows, System32, ProgramData, Program Files, AppData) and developer toolchain folders (.nuget, .gradle, .vscode) from its targeting scope.
Phase 3: Lateral movement and data exfiltration
Lateral movement within the compromised environment has been observed prior to encryption. Data is staged and exfiltrated before the impact stage, although specific lateral movement tooling has not been independently confirmed.
Phase 4: Defense evasion
Anubis aggressively suppresses defensive controls before initiating encryption or wiping. This includes:
- Terminating database services (SQL Server Agent, SQL Server)
- Stopping backup services (Veeam, BackupExec, Acronis)
- Disabling endpoint protection (Symantec ccEvtMgr, Windows Defender)
- Killing productivity applications (Excel, Word) to release file locks
- Deleting all Volume Shadow Copies via the command: vssadmin delete shadows /for=norealvolume /all /quiet
These actions eliminate recovery options and reduce the chance of interference during the encryption or wiping process.
Phase 5: Encryption
With defenses disabled and shadow copies removed, Anubis encrypts targeted files using ECIES. Encrypted files receive the .anubis extension. A ransom note (RESTORE FILES.html) is dropped in affected directories, and the malware attempts to modify the desktop wallpaper via registry changes and by placing a file (wall.jpg) in %ProgramData%. Encrypted files are also assigned a custom icon (icon.ico), deployed to the same directory.
ANUBIS
∟ Your files are encrypted by the ANUBIS team.
∟ Do not try to decrypt or modify the files yourself.
∟ Private data has been downloaded from your corporate network. What kind of data – we will be able to tell you in the process of negotiations.
In case negotiations do not lead to an agreement – your data will be published and disclosed to your clients/counterparts/partners.
∟ During the negotiation process you can request a test decryption of a few unimportant files. We will decrypt them as proof that what we say is true.
Also in the negotiation process you can request a listing of the stolen data and also proof of words.
To contact us – download TorBrowser at ************
Then go to our website :************
And enter your unique ID :************
Phase 6: Destructive stage (optional)
If the /WIPEMODE parameter was specified at launch, file contents are overwritten rather than encrypted. This stage may be deployed as a punitive measure after failed negotiations, as leverage during ongoing negotiations, or as a default configuration chosen by the affiliate before deployment.
Artifacts and host-based indicators
The following indicators are derived from technical analysis of confirmed Anubis ransomware samples and support host-based detection and incident triage.
File system indicators
| Indicator | Value |
|---|---|
| Encrypted file extension | .anubis |
| Ransom note | RESTORE FILES.html |
| Wallpaper file | C:\ProgramData\wall.jpg |
| Icon file | C:\ProgramData\icon.ico |
| Registry modification | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper → path to wall.jpg |
| Excluded directories | Windows, System32, ProgramData, Program Files, AppData, .nuget, .gradle, .vscode, efi, boot |
Process, service, and command indicators
| Category | Examples |
|---|---|
| Stopped services | SQLSERVERAGENT, BackupExecAgentBrowser, ccEvtMgr, VeeamTransportSvc |
| Terminated processes | sqlservr.exe, excel.exe, winword.exe |
| Shadow copy deletion | vssadmin delete shadows /for=norealvolume /all /quiet |
Detection and monitoring
Pre-encryption signals
The most actionable window for detecting a ransomware attack occurs before encryption begins. Indicators at this stage include:
- Mass service termination: Multiple backup, database, and security services are stopping within a short timeframe. Monitoring for coordinated service stop events (particularly affecting Veeam, SQL Server, BackupExec, and endpoint protection) should trigger high-priority alerts.
- Shadow copy deletion: vssadmin delete shadows attempts (/all /quiet).
- Raw disk access attempts: Unexpected \\.\PHYSICALDRIVE0 handle requests from non-system processes, a strong behavioral indicator rarely seen in normal operations.
- Unusual account activity: Access to sensitive directories using valid accounts in patterns inconsistent with normal usage, particularly outside business hours.
- Distinctive command-line parameters: Process execution with arguments including /KEY=, /WIPEMODE, /elevated, /PATH=, or /PFAD=. These parameters are specific to the Anubis binary and should be monitored via process creation logging.
- System branding modifications: Attempts to modify the desktop wallpaper via the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper and deployment of custom icon files (icon.ico) to C:\ProgramData. These changes can be detected through Sysmon registry modification events.
Active encryption and wipe indicators
Once encryption or wiping has begun, available response time is limited. Indicators at this stage include:
- Mass file rename operations, appending a new extension across multiple directories simultaneously.
- Files are being reduced to 0 KB while retaining their original names and directory structure (wipe mode).
- Appearance of HTML ransom notes across multiple directories in rapid succession.
Telemetry sources
Effective monitoring for Anubis activity should leverage Windows Event Logs (service control events, process creation), EDR telemetry (behavioral patterns, process trees), Sysmon (file creation, registry modification, network connections), and backup system logs (service interruptions, failed jobs).
Risk implications
The presence of a wipe capability fundamentally changes the risk calculation for organizations affected by Anubis. Unlike standard ransomware, wipe mode removes the assumption that data can be recovered through decryption or backup restoration. The destruction of source data also complicates post-incident forensic scoping: organizations may be unable to determine the full scope of exfiltrated data, which directly affects ransomware breach notification obligations and breach impact evaluation. The wipe mode makes immutable, offline backups a necessity rather than a best practice.
Incident response and containment
Immediate priorities
The first hours of an Anubis incident are critical, particularly if there is any indication that wipe mode may be active. Immediate actions should include:
- Network isolation: Disconnect affected systems from the network to prevent further lateral movement and data destruction. Prioritize systems where files are actively being modified.
- Scope assessment: Determine whether the attack is in an encryption phase, a wipe phase, or both. Files reduced to 0 KB indicate wipe activity and should escalate the urgency of containment.
- Backup verification: Confirm the integrity and accessibility of offline and immutable backups before connecting any backup infrastructure to the affected network.
- External engagement: Notify relevant law enforcement agencies and engage qualified incident response and legal counsel early in the process.
Evidence preservation
Before any remediation or recovery actions, preserve forensic artifacts. This includes memory captures from affected systems, copies of ransom notes, registry snapshots, event logs, and any communication from the threat actors. These artifacts support both incident investigation and potential regulatory notifications.
Clean recovery sequencing
Recovery should follow a controlled sequence: validate backup integrity, rebuild affected systems from clean images, restore data from verified backups, and re-validate the environment before reconnecting to the network. Rushing recovery without confirming that the attacker has been fully evicted risks re-encryption or additional data destruction.
Prevention and hardening
The following measures address the specific attack patterns and capabilities observed in Anubis operations:
- Immutable and offline backups: Maintain backup copies that cannot be modified or deleted by any network-connected process. Test restoration procedures regularly: untested backups provide false assurance.
- Network segmentation: Isolate critical systems, backup infrastructure, and administrative tools from general user networks. Limit the potential impact of any single compromise.
- Privilege hygiene and MFA: Enforce the principle of least privilege across all accounts. Require multi-factor authentication for remote access, administrative interfaces, and backup management consoles. Anubis relies on privilege escalation; limiting initial privileges reduces its effectiveness.
- Patch and exposure management: Prioritize patching for internet-facing services, particularly RDP, VPN gateways, and email servers. Reduce the external attack surface by disabling unnecessary services and monitoring for exposed management interfaces.
- Monitoring for administrative tool abuse: Track the use of remote execution and administrative tools for anomalous patterns. Legitimate use should be baselined; deviations should trigger investigation.
- Email security and user awareness: Deploy advanced email filtering with attachment sandboxing to intercept spear-phishing payloads before they reach end users. Complement technical controls with regular security awareness training focused on identifying targeted phishing attempts, the primary initial access vector used by Anubis operators.
Organizations that implement these controls reduce both the likelihood of a successful ransomware intrusion and the cost of recovery. When an incident has already occurred, specialized ransomware recovery services can assist with containment, investigation, and the restoration of business operations.
