A new ransomware-as-a-service (RaaS) group has emerged and has been making a name for itself in 2025. Anubis is a recently identified group that sets itself apart by partnering encryption with more destructive capabilities—wiping directories which severely impact chances of file recovery.
Given its brief history and use of a multi-layered extortion model, Anubis has all the markings of an evolving and flexible RaaS operation. Trend™ Research has observed specific command line operations for these destructive actions, including attempts to change system settings and wipe directories. This entry takes a closer look into these capabilities. Anubis joined the X (formerly Twitter) in December 2024. Around the same time, our team identified a sample called Sphinx, which appeared to be in development, evidenced by its ransom note that lacked both a TOR site and a unique ID.
Read more…
Source: Trend Micro
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Black Kingdom ransomware
June 17, 2021
Black Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021. The ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065). The complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. ...
- Kremlin spokesman lists top countries where cyber attacks originate
June 17, 2021
Kremlin Spokesman Dmitry Peskov has prepared a list of the top countries, where cyber attacks originate, at the request of Russian President Vladimir Putin, handing over this list to reporters. “In the first half of 2020, the leaders among all countries where all types of cyber attacks originated are: the US, Canada, Brazil, Mexico, the UK,” ...
- Bash Ransomware DarkRadiation Targets Red Hat- and Debian-based Linux Distributions
June 17, 2021
A recently discovered Bash ransomware piqued our interest in multiple ways. Upon investigating, we found that the attack chain is fully implemented as a bash script, but it also seems that the scripts are still under development. Most components of this attack mainly target Red Hat and CentOS Linux distributions; however, in some scripts Debian-based Linux ...
- Matanbuchus: Malware-as-a-Service with Demonic Intentions
June 16, 2021
Unit 42 researchers often spend time investigating what we call non-traditional sources. Non-traditional sources often include underground marketplaces and sites, spanning from forums on the Tor network to Telegram channels and other marketplaces. One such case that we investigated involves a threat actor called BelialDemon, who is a member of several underground forums and marketplaces. In ...
- Ferocious Kitten: 6 years of covert surveillance in Iran
June 16, 2021
Ferocious Kitten is an APT group that since at least 2015 has been targeting Persian-speaking individuals who appear to be based in Iran. Although it has been active for a long time, the group has mostly operated under the radar and has not been covered by security researchers to the best of our knowledge. It ...
- Ransomware Poll: 80% of Victims Don’t Pay Up
June 16, 2021
Ransomware is on the rise, but what toll does it take on the real world? Threatpost set out to answer that question in an exclusive poll aimed at taking the pulse of organizations wrestling with attacks, including looking at mitigations and the defenses organizations have in place. When viewed against the backdrop of complementary reports from ...