Skip to content

Anubis ransomware adds novel file wiping capabilities

  • by
  • 2 min read

Illustration: JMiks | Shutterstock

An emerging ransomware strain dubbed Anubis ransomware has upgraded its capabilities, now adding a novel file wiping feature that permanently deletes all files on a targeted computer’s storage drive. The ransomware has been active since at least late 2024 under a ransomware-as-a-service (RaaS) model, mainly focused on data extortion.

The new functionality was spotted by researchers at Trend Micro. Their latest report on the ransomware claims that researchers have found “specific command line operations for these destructive actions, including attempts to change system settings and wipe directories.”

The new feature, dubbed “wipe mode,” doesn’t just permanently delete files. It specifically targets directories that severely affect the chance of recovery, rendering data recovery impossible even if a ransom is paid. The presence of this feature is expected to add more pressure on the victim, raising the stakes of an already damaging attack.

Anubis ransomware attack chain
Anubis ransomware attack chain | Source: Trend Micro

Anubis also targets specific processes on the target system, erases Volume Shadow copies, and encrypts data using Elliptic Curve Integrated Encryption Scheme (ECIES) encryption. The ransomware even changes the desktop wallpaper on the targeted systems to its own.

Initial access is often achieved using spear phishing emails. Once executed on the target system, the ransomware exploits commands and runs a number of scripts to gain administrator privileges. It then elevates access to the system level and moves on to detecting files and folders for encryption. So far, the ransomware has been focusing on data extraction, but now it’ll be able to threaten to permanently delete files on the drive, making recovery impossible and increasing the ransom incentive.

So far, the group has targeted construction, engineering, and healthcare firms in Australia, Canada, Peru, and the US. Anubis has seven victims listed on its dark web leak site so far, but the number is expected to rise courtesy of its new destructive abilities.

In the News: Police seize underground drug marketplace with over 600,000 users

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of tik tok 39239

Ireland launches fresh investigation into TikTok over data transfer to Chinese servers

Illustration: jmiks | shutterstock

British NCA arrest four for hacking M&S, Co-op, and Harrods

A mcdonald's sign on a pole.

McDonald’s AI bot leaks job applicants’ data

This is an image of dprk north korea flag

US sanctions North Korean hacker for running fraud IT worker scheme

This is an image of ransomware 32988sd

M&S confirms April cyberattack was ransomware

This is an image of macbook pro featured 123

Novel North Korean macOS malware found targeting Web3, crypto platforms

>