Full Report
Analysis Summary
# Tool/Technique: Anubis Ransomware
## Overview
Anubis is a ransomware strain that has been updated to include a wiper capability designed to irreversibly destroy files, even those not encrypted, moving beyond standard file encryption to ensure data recovery is impossible beyond the scope of the encryption.
## Technical Details
- Type: Malware family (Ransomware with Wiper functionality)
- Platform: Windows (Inferred from typical ransomware targets and references to system functions)
- Capabilities: File encryption, data destruction (wiper), shadow copy deletion, process termination, privilege elevation.
- First Seen: Information not explicitly provided in the text, but described as "emerging."
## MITRE ATT&CK Mapping
*Note: Specific mappings are inferred based on the described malicious activities.*
- **TA0001 - Initial Access** (Phishing emails)
- **T1566 - Phishing**
- **T1566.001 - Spearphishing Attachment** or **T1566.002 - Spearphishing Link** (Mention of phishing emails with malicious links/attachments)
- **TA0004 - Privilege Escalation**
- **T1054.004 - Service Execution** (Implied through process/service termination or direct execution capabilities)
- **TA0005 - Defense Evasion & TA0003 - Persistence** (Implied)
- **T1070.004 - File Deletion** (Wiper component)
- **TA0011 - Command and Control** (Implied communication channel for operation)
- **TA0040 - Impact**
- **T1486 - Data Encrypted for Impact** (Standard ransomware functionality)
- **T1485 - Data Destruction** (Wiper functionality)
## Functionality
### Core Capabilities
- **File Encryption:** Encrypts files and appends the `.anubis` extension.
- **Ransom Note Delivery:** Drops an HTML ransom note on impacted directories.
- **System Interference Removal:** Removes Volume Shadow Copies (VSS) to hinder restoration.
- **Process Termination:** Terminates processes and services that might interfere with the encryption operations.
### Advanced Features
- **Wiper Functionality:** Includes a dedicated mechanism to destroy file contents beyond what is encrypted, making recovery impossible even for files that appear untouched.
- **Command Support:** Supports several commands upon launch, including privilege elevation, directory exclusion definition, and specification of target paths for encryption.
- **Encryption Scheme:** Uses ECIES (Elliptic Curve Integrated Encryption Scheme).
- **Evasion:** Excludes important system and program directories by default to maintain system integrity for the attacker's continued operation.
- **Behavioral Linkage:** Implementation shows similarities to other ransomware families like EvilByte and Prince.
- **Cosmetic Change Attempt:** Attempts (but fails) to change the desktop wallpaper.
## Indicators of Compromise
- File Hashes: (Not provided in text, external IOC list referenced)
- File Names: (Not provided in text)
- Registry Keys: (Not provided in text)
- Network Indicators: (Not provided in text, external IOC list referenced)
- Behavioral Indicators:
- Execution following phishing emails (links/attachments).
- Execution of commands for privilege escalation.
- Attempting to delete Volume Shadow Copies.
- Terminating system and security-related services/processes.
- Appending `.anubis` extension to encrypted files.
## Associated Threat Actors
- Information not explicitly named regarding threat actor groups employing this specific variant, though implementation similarities to EvilByte and Prince suggest potential overlap or derivation from those circles.
## Detection Methods
- Signature-based detection: (Not detailed, but typical implementation would involve specific file hashes or static analysis signatures derived from Trend Micro's analysis mentioned).
- Behavioral detection: Monitoring for processes attempting to delete VSS, terminate critical services, or executing encryption routines using ECIES implementation patterns.
- YARA rules: (Not provided in text, but could be developed based on unique strings or code structure similarity to EvilByte/Prince).
## Mitigation Strategies
- **Email Security:** Implement robust email filtering to block malicious links and attachments associated with phishing attacks.
- **Endpoint Protection:** Utilize EDR solutions capable of monitoring and blocking VSS deletion and termination of critical system processes.
- **Backup Strategy:** Maintain offline/immutable backups, as shadow copies are actively removed.
- **System Hardening:** Apply principle of least privilege to reduce the success rate of privilege escalation attempts.
## Related Tools/Techniques
- EvilByte Ransomware (Implementation similarities noted)
- Prince Ransomware (Implementation similarities noted)
- Use of ECIES encryption scheme.