New Anubis Ransomware Targets Windows, Linux, NAS, and ESXi x64/x32 Environments

A new ransomware group, dubbed Anubis, has emerged as a significant threat in the cybersecurity landscape.

Active since late 2024, Anubis employs advanced techniques and operates across multiple platforms, including Windows, Linux, NAS, and ESXi environments.

The group is leveraging ransomware-as-a-service (RaaS) and other affiliate-based monetization models to expand its reach and impact.

Technical Capabilities and Targeted Platforms

Anubis ransomware is reportedly developed using the ChaCha+ECIES encryption algorithm, enabling robust data encryption.

It targets x64/x32 architectures across various environments while elevating privileges to NT AUTHORITY\SYSTEM for deeper system access.

The malware also features self-propagation capabilities, allowing it to encrypt entire domains efficiently.

These functionalities are managed via a user-friendly web panel designed for affiliates.

The group’s operations highlight a focus on critical industries, including healthcare and engineering sectors.

Their recent victims include organizations in Australia, Canada, Peru, and the United States.

Notably, two of their four confirmed victims belong to the healthcare sector, underscoring their potential focus on industries with sensitive data.

Affiliate Programs: Diversified Monetization Models

Anubis has introduced a range of affiliate programs to attract cybercriminal collaborators:

1. Ransomware-as-a-Service (RaaS): Affiliates receive 80% of ransom payments for deploying Anubis ransomware.
2. Data Ransom Program: This model focuses on monetizing stolen data through public exposure threats, offering affiliates 60% of the revenue. The stolen data must meet specific criteria, such as exclusivity and relevance.
3. Access Monetization Program: Initial Access Brokers can sell corporate credentials to Anubis for a 50% revenue share. This program includes detailed victim profiling to maximize extortion leverage.

These programs reflect a well-structured business model aimed at maximizing profitability through multiple revenue streams.

According to Kela, Anubis operates with a high degree of sophistication.

Their tactics include publishing investigative articles about victims on hidden blog pages to pressure organizations into paying ransoms.

If negotiations fail, the group publicly releases stolen data on their blog or social media platforms.

They have also been observed notifying regulatory authorities and affected parties to amplify the pressure on victims.

The group’s representatives are active on Russian-speaking cybercrime forums such as RAMP and XSS under aliases like “superSonic” and “Anubis__media.”

Their posts suggest prior experience in ransomware operations, potentially as affiliates of other groups.

The emergence of Anubis underscores the evolving nature of ransomware threats.

Their technical expertise, combined with innovative business models and a focus on critical sectors, makes them a formidable adversary.

Organizations are advised to strengthen their cybersecurity defenses and remain vigilant against this emerging threat.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free