A new ransomware-as-a-service (RaaS) group has emerged and has been making a name for itself in 2025. Anubis is a recently identified group that sets itself apart by partnering encryption with more destructive capabilities—wiping directories which severely impact chances of file recovery.
Given its brief history and use of a multi-layered extortion model, Anubis has all the markings of an evolving and flexible RaaS operation. Trend™ Research has observed specific command line operations for these destructive actions, including attempts to change system settings and wipe directories. This entry takes a closer look into these capabilities. Anubis joined the X (formerly Twitter) in December 2024. Around the same time, our team identified a sample called Sphinx, which appeared to be in development, evidenced by its ransom note that lacked both a TOR site and a unique ID.
Read more…
Source: Trend Micro
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Malware uses WiFi BSSID for victim identification
January 4, 2021
Malware operators who want to know the location of the victims they infect usually rely on a simple technique where they grab the victim’s IP address and check it against an IP-to-geo database like MaxMind’s GeoIP to get a victim’s approximate geographical location. While the technique isn’t very accurate, it is still the most reliable method ...
- Beware: PayPal phishing texts state your account is ‘limited’
January 3, 2021
A PayPal text message phishing campaign is underway that attempts to steal your account credentials and other sensitive information that can be used for identity theft. When PayPal detects suspicious or fraudulent activity on an account, the account will have its status set to “limited,” which will put temporary restrictions on withdrawing, sending, or receiving money. Read ...
- Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways
January 2, 2021
More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel. The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets ...
- Data breach broker selling 368.8 million user records stolen from 26 companies
December 31, 2020
A data breach broker is selling the allegedly stolen user records for twenty-six companies on a hacker forum, BleepingComputer has learned. When threat actors and hacking groups breach a company and steal their user databases, they commonly work with data breach brokers who market and sell the data for them. Brokers will then create posts on ...
- Emotet malware hits Lithuania’s National Public Health Center
December 30, 2020
The internal networks of Lithuania’s National Center for Public Health (NVSC) and several municipalities have been infected with Emotet malware following a large campaign targeting the country’s state institutions. “When infected recipients opened infected messages, the virus entered the internal networks of the institutions,” NVSC officials said in a statement published today. “Infected computers, after downloading additional ...
- Japanese Aerospace Firm Kawasaki Warns of Data Breach
December 29, 2020
Japanese aerospace company Kawasaki Heavy Industries on Monday warned of a security incident that may have led to unauthorized access of customer data. According to the company’s data breach notification, it first discovered unauthorized parties accessing a server in Japan, from an overseas office in Thailand, on June 11, 2020. After terminating that access, the company ...