Anubis ransomware is a malicious software that encrypts files on infected systems, demanding a ransom for their recovery. Known for its advanced encryption techniques and destructive capabilities, Anubis has evolved into a significant threat targeting both individual users and organizations. This article explores its history, indicators of compromise (IOCs), and removal strategies.
Anubis ransomware history
Anubis gained notoriety for its widespread attacks and sophisticated distribution methods, including phishing emails and malicious software. It emerged in 2024, leveraging double extortion tactics and ransomware-as-a-service (RaaS) models.
Anubis’s timeline:
- 2024: The Anubis threat group surfaced, targeting healthcare and engineering sectors with affiliate programs for data extortion and access monetization.
- 2025: The group advertises its affiliate programs on forums like RAMP and XSS, offering revenue-sharing models for ransomware deployment, data monetization, and corporate access credentials.
The group’s operations suggest that its members may have prior experience with other ransomware groups or extortion activities. Their detailed “investigative articles” on victims highlight their high-target attack method.
Anubis ransomware business model
The Anubis group operates multiple affiliate programs to monetize their activities:
- Ransomware-as-a-Service (RaaS): Affiliates receive 80% of ransom payments. The malware targets Windows, Linux, NAS, and ESXi environments and includes features like privilege escalation and domain-wide encryption propagation.
- Data Ransom Program: Affiliates monetize stolen sensitive data through public exposure threats, earning 60% revenue. This program includes investigative articles based on stolen files to pressure victims further.
- Access Monetization Program: Initial Access Brokers provide corporate credentials in exchange for 50% revenue. The group uses detailed reports to identify vulnerabilities and increase extortion pressure.
These programs reflect the group’s innovative approach to ransomware operations, combining traditional methods with modern monetization techniques.
How to recognize Anubis ransomware (IOCs)
Indicators of Compromise (IOCs) are digital traces left behind during a cyberattack that help identify malicious activity or malware such as Anubis ransomware. These traces help identify the malware’s presence on a system.
Anubis ransomware IOCs include:
- File Extensions: Encrypted files often have extensions such as .anubis or random strings.
- Ransom Notes: Typically named “anubis-readme.txt,” these notes threaten file deletion if the ransom is not paid within seven days.
Using ransomware identification tools can help confirm the presence of Anubis ransomware based on these IOCs.
How to remove Anubis ransomware
Removing Anubis ransomware is complex and requires professional assistance to ensure complete eradication and safe data recovery. Attempting self-removal may result in permanent data loss or reinfection.
Steps to handle Anubis ransomware:
- Don’t pay the ransom: Paying does not guarantee file recovery and may incentivize attackers.
- Contact professional services: Trusted providers like Porthas specialize in ransomware removal and recovery. Our experts can decrypt files, remove malware, and restore systems securely while ensuring compliance with legal regulations.
- Report the attack: Notify law enforcement agencies such as the FBI’s IC3 to aid in tracking threat actors.
Is there a public decryption tool for Anubis?
No, currently, there is no public decryption tool for Anubis ransomware. Recovery often depends on professional services or backups.
