What sets Anubis apart from other ransomware families is its incorporation of permanent data deletion capabilities, with some victims reporting complete data loss even after ransom payments were made. A sophisticated new ransomware threat has emerged from the cybercriminal underground, targeting both Android and Windows platforms with dual capabilities that extend far beyond traditional file encryption. Anubis ransomware, first identified in November 2024, represents a concerning evolution in malware design, combining the destructive power of ransomware with the credential-stealing techniques of banking trojans. According to recent threat intelligence data, ransomware victims publicly listed on leak sites have increased by nearly 25%, while the number of leak sites operated by ransomware groups has grown by 53%. This multi-layered approach ensures maximum impact while preventing victims from utilizing standard recovery mechanisms, forcing organizations into difficult decisions regarding ransom payment versus permanent data loss. Anubis demonstrates sophisticated technical capabilities in its execution phase, particularly through its use of configurable command-line parameters that enable threat actors to customize attack scenarios. The malware employs specific command parameters including /KEY=, /elevated, /PATH=, /PFAD=, and /WIPEMODE, allowing operators to control encryption processes, privilege escalation, target directories, and destructive wiping functionality. On Windows systems, the ransomware implements the Elliptic Curve Integrated Encryption Scheme (ECIES) for file encryption, providing robust cryptographic protection that makes unauthorized decryption extremely difficult. Bitsight researchers identified Anubis as a particularly dangerous threat due to its sophisticated dual-platform approach and destructive capabilities. The malware systematically eliminates recovery options by deleting Volume Shadow Copies and terminating critical system services, while simultaneously escalating privileges through access token manipulation techniques. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. The malware simultaneously conducts screen recording and keylogging operations to capture sensitive authentication data, while propagating itself through the victim’s contact list via mass SMS distribution. The ransomware group, observed communicating in Russian on dark web forums, has implemented a distinctive Ransomware-as-a-Service model with flexible affiliate payment structures. Anubis has contributed to these statistics through its aggressive targeting of critical infrastructure and high-value organizations across healthcare, construction, and professional services sectors. On Android devices, Anubis functions primarily as a banking trojan, deploying phishing overlays that mimic legitimate application interfaces to harvest user credentials.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 01 Aug 2025 00:00:21 +0000