The Anubis ransomware-as-a-service (RaaS) operation has escalated its threat by integrating a wiper module into its malware, ensuring targeted files are permanently destroyed. This development, confirmed by Trend Micro and BleepingComputer1, means victims cannot recover files even after paying the ransom. The wiper, activated via the /WIPEMODE command, reduces file sizes to 0 KB while preserving directory structures, excluding critical system folders to avoid immediate crashes2.
Technical Breakdown of the Wiper Module
The Anubis wiper operates alongside its existing ECIES (Elliptic Curve Integrated Encryption Scheme) encryption, which appends the .anubis extension to encrypted files. Unlike traditional ransomware, the wiper module ensures data is irrecoverable by overwriting file contents. This dual functionality makes Anubis particularly dangerous, as affiliates can choose between encryption for ransom leverage or outright destruction. The malware also terminates processes like Volume Shadow Copy to prevent recovery attempts3.
Attack vectors remain consistent with phishing campaigns delivering malicious attachments or links. Once executed, Anubis scans for and disables security services, a tactic shared with other ransomware families like EvilByte and Prince4. Indicators of Compromise (IoCs), including hashes and C2 domains, are documented in Trend Micro’s report5.
Operational and Financial Implications
Anubis operates on a profit-sharing model, offering affiliates 80% of ransom payments and 60% of data extortion profits. This incentivizes widespread adoption among cybercriminals. The addition of a wiper suggests a shift toward more destructive attacks, possibly targeting organizations with low tolerance for operational downtime, such as healthcare or critical infrastructure.
Ransomware attacks are projected to cause $265 billion in global losses by 20316. The Anubis wiper exacerbates this trend, emphasizing the need for proactive measures like offline backups and endpoint detection systems. ShardSecure’s analysis highlights that encryption alone is insufficient; layered defenses are critical7.
Mitigation and Response Strategies
To counter Anubis, organizations should:
- Deploy email filtering to block phishing attempts.
- Monitor for IoCs, particularly the
/WIPEMODEcommand and.anubisfile extensions. - Isolate infected systems immediately to prevent lateral movement.
Trend Micro and KELA Cyber recommend updating detection rules to include behavioral patterns associated with the wiper module, such as rapid file size reduction8. Network segmentation and least-privilege access can limit the malware’s spread.
Conclusion
The Anubis wiper module represents a significant escalation in ransomware tactics, blending financial extortion with irreversible data destruction. Its affiliate-driven model ensures rapid proliferation, demanding heightened vigilance from defenders. Historical parallels to wipers like PathWiper, used in attacks against Ukrainian infrastructure, underscore the potential for widespread disruption9.
For ongoing updates, refer to primary sources like BleepingComputer and Trend Micro. Indicators of Compromise and detection rules are available in the references below.
References
- “Anubis ransomware adds wiper to destroy files beyond recovery,” BleepingComputer, Jun. 14, 2025.
- “Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper,” Trend Micro, Jun. 2025.
- “Anubis: A New Ransomware Threat,” KELA Cyber, Feb. 2025.
- Cybersecurity Ventures, “Global Ransomware Damage Costs Predicted to Reach $265 Billion by 2031,” 2025.
- ShardSecure, “Mitigating Ransomware with Layered Defenses,” 2025.
- EUNOMATIX Twitter Thread on #threatintel, Jun. 14, 2025.
