Dual Threat: Scrambling and Erasing Data

A newly observed strain of ransomware called Anubis has attracted the attention of security researchers for its ability not only to lock files but also to wipe them out completely. According to a recent study by Trend Micro, the malware carries a “wipe mode.” When attackers enable this setting, Anubis reduces each targeted file to zero bytes while leaving the name and extension intact. The result is brutal: victims are left staring at empty placeholders, with no realistic path to recovery—even if they decide to pay a ransom.

This dangerous feature is uncommon in the ransomware landscape. Most groups focus on encryption alone, reasoning that files must be recoverable for the victim to feel compelled to meet demands. By adding permanent destruction as a threat, the criminals behind Anubis raise the pressure dramatically, hinting that they are willing to obliterate data if negotiations stall or if they decide a victim is uncooperative.

A Ransomware-as-a-Service Built for Affiliates

First spotted in the wild in December 2024, Anubis is operated as a ransomware-as-a-service (RaaS) platform. Aspiring attackers, known in the ecosystem as affiliates, can sign up, obtain a copy of the malware, and follow a playbook supplied by the developers. To make the partnership attractive, Anubis offers a generous revenue split: affiliates keep 80 percent of every ransom payment. If they branch out into selling stolen files on underground markets or brokering back-door access to compromised systems, the earnings are divided 60-40 and 50-50, respectively.

The group’s marketing materials reveal that the project began under the name “Sphinx.” Somewhere along the testing phase, the operators swapped that brand for “Anubis,” possibly to distance themselves from early trial runs or to ride on the dark mystique of the Egyptian deity. Trend Micro stresses that this effort is unrelated to the Android banking malware or the Python-based backdoor that share the same mythological name.

Anatomy of an Attack

A typical Anubis intrusion starts with a phishing email. The message lures an employee into opening a booby-trapped attachment or clicking a malicious link, giving the attackers the first foothold inside a network. From there, the operators move laterally, elevate their privileges, map out the environment, and erase Windows volume shadow copies that might otherwise aid a victim’s recovery. Once they are satisfied with the level of access—and after exfiltrating any files they consider valuable—they deploy the ransomware.

By default, Anubis encrypts data and appends a ransom note that directs the victim to a chat portal on the dark web. If the attackers invoke the /WIPEMODE parameter, the code flips from encryption to outright destruction, turning original files into empty shells with no contents. Security specialists caution that victims who see file sizes suddenly register as 0 KB are likely facing the wiper function in action.

Impacted Sectors and Regions

Early victims identified by Trend Micro belong to the healthcare, hospitality, and construction industries across the United States, Canada, Peru, and Australia. While these sectors have endured ransomware attacks for years, the blend of encryption, data theft, and file wiping poses higher stakes. Healthcare institutions, in particular, struggle to restore critical patient data under the threat of a wipe, and downtime can translate into risks to patient safety.

FIN7’s Parallel Campaign and the NetSupport RAT Connection

The Anubis discovery coincides with a separate investigation by Recorded Future into fresh infrastructure linked to FIN7, a financially motivated group sometimes called GrayAlpha. FIN7’s operators have been distributing the NetSupport remote-access tool through bogus software-update portals and counterfeit download pages. Two custom loaders play pivotal roles: one named MaskBat, deployed via fake browser updates, and another called PowerNet, delivered through sham 7-Zip installer sites and a traffic-direction system known as TAG-124. Although the campaigns are distinct, researchers note overlaps in tools and naming conventions, suggesting that cybercriminal communities continue to share code and trade techniques.

The Bigger Picture for Defenders

Anubis underscores how ransomware crews keep refining their business models. By letting affiliates choose between classic encryption or permanent deletion, the developers aim to maximize leverage and, ultimately, revenue. Organizations must treat phishing awareness, regular data backups, and robust incident-response planning as non-negotiable fundamentals. Backups, however, need to be isolated and frequently tested, because Anubis deliberately hunts shadow copies and could attempt to locate connected storage if given the chance.

Trend Micro’s researchers conclude that the dual nature of encryption and wiping “significantly raises the stakes.” In practical terms, it means no one can assume that ransom payment guarantees restitution. The surest defense remains prevention and rapid detection—before the choice between paying up or losing everything becomes all too real.