A new ransomware-as-a-service (RaaS) group has emerged and has been making a name for itself in 2025. Anubis is a recently identified group that sets itself apart by partnering encryption with more destructive capabilities—wiping directories which severely impact chances of file recovery.
Given its brief history and use of a multi-layered extortion model, Anubis has all the markings of an evolving and flexible RaaS operation. Trend™ Research has observed specific command line operations for these destructive actions, including attempts to change system settings and wipe directories. This entry takes a closer look into these capabilities. Anubis joined the X (formerly Twitter) in December 2024. Around the same time, our team identified a sample called Sphinx, which appeared to be in development, evidenced by its ransom note that lacked both a TOR site and a unique ID.
Read more…
Source: Trend Micro
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Commodified Cybercrime Infrastructure – Exploring the Underground Services Market for Cybercriminals
September 1, 2020
Beyond standard underground offerings such as malware and exploit kits, cybercriminals also value having a stable hosting infrastructure that underpins all their activities. Such an infrastructure could host malicious content and the necessary components for controlling their operations (e.g., bulletproof hosting that run backend hacker infrastructure or a rented botnet of compromised machines). In many respects, ...
- New Bait Used in Instagram Profile Hacking Scheme
August 28, 2020
Last year, we observed attacks launched to steal high-profile Instagram accounts. Now, attacks of a similar nature are on the rise again, this time using new lures to achieve the same goal. Both strikes involve a group of Turkish-speaking hackers who seized Instagram accounts through credential phishing emails posing as legitimate messages from Instagram. The group ...
- Elon Musk confirmed Russian’s plans to extort Tesla
August 28, 2020
The FBI thwarted the plans of 27-year-old Russian national Egor Igorevich Kriuchkov to recruit an insider within Tesla’s Nevada Gigafactory, persuade him to plant malware on the company’s network, and then ransom Tesla under threat that he would leak data stolen from their systems. Kriuchkov was arrested on August 22, 2020, in Los Angeles after he ...
- Cetus: Cryptojacking Worm Targeting Docker Daemons
August 27, 2020
Unsecured Docker daemons have been known to security professionals as a major threat since the early days of containers. Unit 42 recently wrote about Graboid, the first-ever Docker cryptojacking worm and unsecured Docker daemons. I conducted additional research by setting up a Docker daemon honeypot in order to examine how things look for an average ...
- Malicious Attachments Remain a Cybercriminal Threat Vector Favorite
August 27, 2020
While attachment threat vectors are one of the oldest malware-spreading tricks in the books, email users are still clicking on malicious attachments that hit their inbox, whether it’s a purported “job offer” or a pretend “critical invoice.” The reason why threat actors are still relying on this age-old tactic, researchers say, is that the attack is ...
- Revamped Qbot Trojan Packs New Punch: Hijacks Email Threads
August 27, 2020
Attacks attributed to the Qbot trojan, known as the “Swiss Army knife” of malware, are on the uptick with a reported 100,000 recent infections, according to researchers. Qbot, an ever-evolving information-stealing trojan that’s been around since 2008, has shifted tactics again and adopted a bevy of new techniques, according to researchers at Check Point who released ...