A new ransomware-as-a-service (RaaS) group has emerged and has been making a name for itself in 2025. Anubis is a recently identified group that sets itself apart by partnering encryption with more destructive capabilities—wiping directories which severely impact chances of file recovery.
Given its brief history and use of a multi-layered extortion model, Anubis has all the markings of an evolving and flexible RaaS operation. Trend™ Research has observed specific command line operations for these destructive actions, including attempts to change system settings and wipe directories. This entry takes a closer look into these capabilities. Anubis joined the X (formerly Twitter) in December 2024. Around the same time, our team identified a sample called Sphinx, which appeared to be in development, evidenced by its ransom note that lacked both a TOR site and a unique ID.
Read more…
Source: Trend Micro
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- REvil ransomware gang’s web sites mysteriously shut down
July 13, 2021
The infrastructure and websites for the REvil ransomware operation have mysteriously gone offline as of last night. The REvil ransomware operation, aka Sodinokibi, operates through numerous clear web and dark web sites used as ransom negotiation sites, ransomware data leak sites, and backend infrastructure. Starting last night, the websites and infrastructure used by the REvil ransomware operation ...
- Adobe Patches 11 Critical Bugs in Popular Acrobat PDF Reader
July 13, 2021
Eleven critical bugs in Adobe’s popular and free PDF reader, Acrobat, open both Window and macOS users to attacks ranging from an adversary arbitrarily executing commands on a targeted system to data leakage tied to system-read and memory flaws. In a Tuesday security bulletin, which included patches for all flaws, the company reported that Windows and ...
- SolarWinds patches critical Serv-U vulnerability exploited in the wild
July 12, 2021
SolarWinds is urging customers to patch a Serv-U remote code execution vulnerability exploited in the wild by “a single threat actor” in attacks targeting a limited number of customers. “Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the ...
- Voice cloning of growing interest to actors and cybercriminals
July 12, 2021
As voice cloning technology has become ever more effective, it is of increasing interest to actors… and cybercriminals. When Tim Heller first heard his cloned voice he says it was so accurate that “my jaw hit the floor… it was mind-blowing”. Voice cloning is when a computer program is used to generate a synthetic, adaptable copy of ...
- Lazarus Targets Job-Seeking Engineers with Malicious Documents
July 9, 2021
The notorious Lazarus advanced persistent threat (APT) group has been identified as the cybergang behind a campaign spreading malicious documents to job-seeking engineers. The ploy involves impersonating defense contractors seeking job candidates. Researchers have been tracking Lazarus activity for months with engineering targets in the United States and Europe, according to a report published online by ...
- Oil & Gas Targeted in Year-Long Cyber-Espionage Campaign
July 8, 2021
A sophisticated campaign targeting large international companies in the oil and gas sector has been underway for more than a year, researchers said, spreading common remote access trojans (RATs) for cyber-espionage purposes. According to Intezer analysis, spear-phishing emails with malicious attachments are used to drop various RATs on infected machines, including Agent Tesla, AZORult, Formbook, Loki ...