- T-Mobile will give you a Samsung Galaxy S25 Plus for free - how to qualify for the deal
- AI-Ready Optics Transceivers Partner Enablement Campaign
- Request for Comments: PCI Key Management Operations (KMO) v1.0 Standard
- This 5-in-1 travel charger is the only one I'll need this summer (and it's full of power)
- You can turn your Google Search into a podcast now - here's how
Anubis Ransomware Adds File-Wiping Capability
The Anubis ransomware-as-a-service (RaaS) operator has developed a novel dual threat capability to increase pressure on victims.
Trend Micro researchers discovered a “wipe mode” in the ransomware strain which permanently erases files and is used alongside general encryption capabilities.
This destructive capability makes file recovery impossible, increasing the pressure on victims to pay ransom demands.
The novel tactic highlights ransomware attackers’ ability to quickly pivot amid victims’ growing resistance to payment demands, enabled by stronger resiliency in the face of incidents.
“The emergence of the Anubis marks a significant evolution in the landscape of cyberthreats, particularly with its dual-threat ransomware capabilities and flexible affiliate programs,” the researchers said in a report dated June 13.
“By combining RaaS with added monetization strategies, such as data ransomware and access monetization affiliate programs, Anubis is maximizing its revenue potential and expanding its reach within the cybercriminal ecosystem. Its ability to both encrypt and permanently destroying data significantly raises the stakes for victims, amplifying the pressure to comply—just as strong ransomware operations aim to do,” they added.
File Wiping Capabilities
The new Trend Micro report identified specific command line operations for destructive actions, including attempts to change system settings and wipe directories.
The ransomware runs the command vssadmin delete shadows /for=norealvolume /all /quiet to delete all Volume Shadow Copies on the specified drive. This function is designed to prevent the victim from restoring files from previous versions.
Additionally, Anubis includes a wiper feature using /WIPEMODE parameter, which can permanently delete the contents of a file, preventing any recovery attempt.
This command includes a key for authentication.
To protect against the novel data wiping function, the researchers advised organizations to maintain offline and immutable backups to ensure file recovery even if files are destroyed.
Anubis’ Novel Structure
Anubis was first observed in December 2024 and was actively advertising on cybercrime forums by February 2025.
The group uses a unique affiliate structure, offering multiple options with high percentage of the profit from ransom payments paid out to members.
The tools offered by the RaaS operation include traditional encryption, data theft only and access monetization to help threat actors extort victims they’ve already compromised.
Initial access is typically established through spear phishing emails that include malicious attachments or links. These emails are carefully constructed to appear as if they come from trusted sources, luring recipients into opening the attachments or clicking the links.
At the time the Trend Micro Report was published, seven victims have been listed on the group’s leak site. These victims come from a range of industries, including healthcare, engineering and construction.
The victims come from a variety of countries, including Australia, Canada, Peru and the US.
