Anubis

Anubis is a ransomware-as-a-service (RaaS) operation first observed in late 2024 and reported as launching in December 2024. The group is also linked in the content to an earlier build called Sphinx, with code-level similarities described as indicating a rebrand rather than a fork. It is explicitly noted to be unrelated to the older Anubis Android banking trojan and unrelated to the Anubis backdoor associated with FIN7. Operational indicators in the content suggest Russian-speaking operators, with targeting patterns that exclude former Soviet states. The operation uses an affiliate-driven model in which affiliates conduct intrusion, lateral movement, and deployment, while operators provide the malware, leak-site infrastructure, and negotiation backend. The content states Anubis offered affiliates 80% of paid ransoms and launched an affiliate program on the RAMP forum in February 2025. It also offers parallel monetization models including data extortion and sale of compromised access. Anubis is described as using encryption-based payloads and extortion tactics, including double extortion. Its ransom note states that files are encrypted, private corporate data has been downloaded, and stolen data will be published if negotiations fail; victims are directed to a Tor-based negotiation portal and offered test decryption. The malware is described as manually operated, requiring explicit command-line parameters, attempting privilege escalation to admin/SYSTEM, deleting Volume Shadow Copies, suppressing recovery options, terminating security, backup, database, and productivity processes, encrypting files with a hybrid ECIES-based scheme, appending a .anubis extension, and dropping HTML ransom notes. The content also states that in June 2025 Anubis added a destructive data-wiping capability or optional wipe mode that can permanently destroy files beyond recovery. Reported initial access methods include spear-phishing with malicious documents or compressed executables, abuse of exposed internet-facing services such as RDP, compromised credentials, brute-force attempts, previously obtained access, and trojanized installers or fake updates. The content describes Anubis as active across multiple sectors and geographies, including North America, Europe, and parts of APAC, with observed focus on healthcare, engineering, and construction. Multiple sources in the content state that Anubis stands out for targeting healthcare and critical infrastructure and for focusing on sectors with high compliance risk such as healthcare. The group is also described as using compliance-related extortion pressure and producing detailed investigative breakdowns of victim datasets. Victims and claimed targets mentioned in the content include Signature Healthcare/Brockton Hospital, AkzoNobel, AllerVie Health, Laidley Family Doctors, Copec S.A., the Port System Authority of the Central Adriatic Sea, Langley Twigg Law, a South Korean plastics manufacturer, Disneyland Paris, and other organizations listed in victim mentions. The content specifically states that Anubis claimed responsibility for the Signature Healthcare incident, said it stole 2 TB of data, and that the attack disrupted hospital operations and forced downtime procedures. It also states Anubis claimed the AkzoNobel breach and alleged theft of about 170 GB of data. The group is described as a relatively new ransomware actor and one to watch in 2025.