Anubis Ransomware Destroys Files Even After Payment

A new ransomware group called Anubis is gaining attention for its dangerous double-threat attacks.

The Anubis ransomware group differs from standard ransomware by including a file-wiping feature, which makes recovery impossible, even when victims pay the ransom.

“Anubis is an emerging Ransomware-as-a-Service (RaaS) operation that combines file encryption with file destruction — a rare dual-threat capability,” researchers at Trend Micro reported.

First spotted in December 2024, when it operated under the Sphinx name. The developers conducted a complete industry-wide attack on healthcare, construction, and engineering sectors across the United States, Canada, Peru, and Australia.

The Anubis affiliate program operates on Russian-language forums while providing multiple revenue streams to cybercriminals through data extortion, access sales, and traditional ransomware attacks. As the researchers noted, “All their proposed revenue-share structures are open to negotiation for long-term cooperation.”

The malware system enters networks through phishing emails, while checking for administrator privileges before proceeding. The malware uses ECIES encryption to lock files, and it also has an optional feature to erase file contents, which results in empty files that cannot be recovered.

The ransom note, titled RESTORE FILES.html, warns victims about data disclosure unless they make a payment. The Anubis logo appears on system wallpapers during attacks, but the modification failed during testing.

Experts say the file-wiping function is especially dangerous. “This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack,” they wrote.

To defend against Anubis, experts recommend backing up data offline, updating software regularly, limiting admin access, and training staff to recognize phishing. Organizations should implement multiple security layers, which include tools that identify suspicious system behavior at an early stage.