A new ransomware-as-a-service threat called Anubis has emerged. It combines file encryption, ruthless monetization tactics, and a rare wiper feature that can permanently delete data to prevent its recovery.
Once active, Anubis renames encrypted files with the extension .anubis. It alters their system icons, standard fare for ransomware families trying to sow panic and confusion. Victims find a ransom note titled RESTORE FILES.html, attributed to the “ANUBIS team,” which outlines a double extortion scheme: pay up, or your stolen data goes public.
This pressure tactic is fast becoming the norm in ransomware operations, but researchers at Trend Micro say Anubis adds another layer of threat.
More than encryption, it has a wiper feature triggered via the /WIPEMODE command-line parameter. When activated, it erases the contents of files, overwriting them with zero-byte shells that cannot be recovered. Although files still appear in place, their size reads “0 KB,” confirming total data loss.
This type of data destruction is commonly used in cyberespionage or nation-state attacks. But in this instance, it’s weaponized for additional leverage.
Changing Desktop Wallpaper
In another curious twist, researchers observed that Anubis attempts to change the victim’s desktop wallpaper using a file named wall.jpg.
The command was issued via the command line to set the image at C:\ProgramData\wall.jpg, but in tested samples, the image file was never dropped, rendering the attempt ineffective. While mostly cosmetic, such tactics are often used to visually signal to the victim that an attack has occurred.
“Given its brief history and use of a multi-layered extortion model, Anubis has all the markings of an evolving and flexible RaaS operation,” Trend Micro noted.
How Anubis Gets In
Trend Vision One’s telemetry outlines the tactics, techniques, and procedures (TTPs) employed by the Anubis ransomware operators. These include:
- Initial Access: Phishing emails
- Execution: Command-line scripting
- Privilege Escalation: Create a process with stolen tokens
- Defense Evasion: Use of valid accounts
- Discovery: File, directory, and process discovery
- Impact: Data encryption, service disruption, and full-blown data destruction
Monetization Meets Malware
What makes Anubis particularly dangerous is how it’s structured to scale. This scourge is offered via RaaS to affiliates, so even fairly unskilled actors can carry out attacks using prebuilt kits. Anubis also reportedly supports additional monetization strategies, such as access brokering, in which access to infected systems is sold on underground markets.
This suggests its authors are covering all their bases, stretching this threat’s earning potential and expanding its reach as much as possible.
Defending Against Anubis
Anubis isn’t just another ransomware; it’s a hybrid threat that encrypts, extorts, and erases. That raises the bar for defensive strategies. Here’s what organizations should prioritize:
- Email and Web Hygiene: Filter known malicious domains, and educate users on the dangers of attachments and links.
- Offline Backups: Maintain secure, offline backups.
- Access Controls: Enforce the principles of least privilege and audit user permissions often.
- Patching and Scanning: Keep endpoint protection software updated, and scan for vulnerabilities.
- User Awareness: Train teams to recognize social engineering. Security-smart staff can be a human firewall.
- Defense in Depth: Use a mix of endpoint, email, web, and network security for layered defenses..
- Sandboxing and Application Control: Analyze unknown files in a sandbox environment and block unauthorized apps at the policy level.
- Continuous Monitoring: SIEM tools are great for rooting out anomalous behaviors that could mean trouble is afoot.
Anubis may seem like a typical RaaS at first, but it’s a threat actor’s dream: file encryption, data theft, permanent file wiping, and multiple revenue paths. If ransomware wasn’t high enough on your risk radar, this one should push it up a few notches. Entities must assume that encryption is only part of the problem, and that complete data loss is on the table.
The takeaway? Don’t just plan for ransomware recovery. Prepare for the possibility of no recovery at all.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.