Full Report
Trend Micro identified a novel “wipe mode” included in Anubis ransomware to prevent file recovery, increasing pressure on victims to give in to demands
Analysis Summary
# Tool/Technique: Anubis Ransomware (File-Wiping Capability)
## Overview
Anubis is a Ransomware-as-a-Service (RaaS) operation that has recently evolved by incorporating a novel "wipe mode" alongside its standard file encryption capabilities. This dual threat aims to maximize pressure on victims by offering the option to permanently destroy data if the ransom is not paid, thus making recovery impossible.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Not explicitly stated, but ransomware typically targets Windows systems.
- Capabilities: File encryption (standard ransomware operation) and permanent file wiping (destructive action).
- First Seen: The addition of the file-wiping feature was reported on June 13, 2025 (based on the date of the research report referenced).
## MITRE ATT&CK Mapping
*Note: Specific mappings are inferred based on the described ransomware and destructive behavior.*
- **TA0011 - Collection**
- T1005 - Data from Local System (Initial access to files before wiping/encryption)
- **TA0030 - Impact**
- T1486 - Data Encrypted for Impact (Standard Ransomware function)
- T1485 - Data Destruction (Implied by the "wipe mode")
## Functionality
### Core Capabilities
- **Ransomware-as-a-Service (RaaS):** Operates under a flexible affiliate program model.
- **File Encryption:** Encrypts victim files, demanding ransom for the decryption key.
### Advanced Features
- **Dual-Threat Capability:** Combines standard encryption with a destructive "wipe mode."
- **Permanent Data Destruction:** The wipe mode uses command-line operations designed to permanently erase system data, potentially circumventing recovery options and forcing payment.
- **Monetization Strategy Expansion:** Beyond pure ransomware, the RaaS model likely includes affiliate programs for data ransomware and access monetization.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text]
- Registry Keys: [Not provided in the text]
- Network Indicators: [Not provided, C2 structure is inherent to RaaS but details are missing]
- Behavioral Indicators: Execution of command line operations designed to alter system settings beyond standard encryption (e.g., commands related to data destruction or system modification).
## Associated Threat Actors
- Anubis RaaS Operator and its affiliates.
## Detection Methods
- Signature-based detection: Requires updated signatures for new Anubis variants containing the wipe logic.
- Behavioral detection: Monitoring for unusual command-line execution patterns associated with file deletion/wiping or system modification that deviates from normal application behavior, especially during or immediately after an encryption event.
- YARA rules: [Not available in the text]
## Mitigation Strategies
- **Backups:** Maintain immutable, offline, and segmented backups to ensure data recovery even if erasure mechanisms are executed.
- **Access Control:** Implement least privilege to limit the scope of files an attacker can target for encryption or wiping.
- **Endpoint Detection and Response (EDR):** Configure EDR solutions to aggressively monitor and flag command-line activity indicative of data manipulation or destruction.
- **Ransomware Playbook:** Develop and test incident response plans that specifically account for both encryption *and* complete data destruction scenarios.
## Related Tools/Techniques
- Other Ransomware strains utilizing dual-threat extortion (e.g., encryption plus data exfiltration/destruction).
- File Wiping Malware (dedicated tools designed solely for destruction).