Full Report
An emerging ransomware strain has been discovered incorporating capabilities to encrypt files as well as permanently erase them, a development that has been described as a "rare dual-threat." "The ransomware features a 'wipe mode,' which permanently erases files, rendering recovery impossible even if the ransom is paid," Trend Micro researchers Maristel Policarpio, Sarah Pearl Camiling, and
Analysis Summary
# Tool/Technique: Anubis Ransomware
## Overview
Anubis is an emerging Ransomware-as-a-Service (RaaS) strain that operates as a dual-threat tool, capable of both encrypting files and permanently wiping their contents, thereby making recovery virtually impossible even if the ransom is paid. The operation emphasizes data extortion alongside encryption.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Assumed to be Windows-based given typical enterprise ransomware operations, though specific OS is not explicitly stated.
- Capabilities: File encryption, data wiping (file content reduction to 0 KB), extortion through data theft, affiliate program management.
- First Seen: Became active in December 2024. Formerly named Sphinx in early samples.
## MITRE ATT&CK Mapping
The provided context describes post-initial access activity:
- **TA0001 - Initial Access** (Implied by phishing emails)
- **T1566 - Phishing**
- **T1566.001 - Spearphishing Attachment** (Implied by phishing emails mentioned)
- **TA0004 - Privilege Escalation**
- **T1068 - Exploitation for Privilege Escalation** (Implied by privilege escalation step)
- **TA0007 - Discovery**
- **T1082 - System Information Discovery** (Implied by reconnaissance)
- **TA0009 - Collection**
- **T1005 - Data from Local System** (Implied by data extortion component)
- **TA0003 - Persistence** (Not explicitly mentioned, but common in ransomware)
- **TA0006 - Credential Access** (Not explicitly mentioned, but common in ransomware)
- **TA0005 - Defense Evasion**
- **T1490 - Inhibit System Recovery**
- **T1490.001 - Delete Volume Shadow Copies** (Explicitly mentioned: "delete volume shadow copies")
- **TA0040 - Impact**
- **T1486 - Data Encrypted for Impact** (Explicitly mentioned: encrypting files)
- **T1485 - Data Destruction** (Explicitly mentioned via 'wipe mode')
## Functionality
### Core Capabilities
- **Ransomware Encryption:** Encrypts victim files.
- **Data Destruction (Wiping):** Utilizes a dedicated 'wipe mode' (invoked via `/WIPEMODE` parameter) to permanently erase file contents, setting file sizes to 0 KB while potentially retaining filenames/extensions.
- **Attack Chain Execution:** Follows a process involving phishing for initial access, escalating privileges, performing reconnaissance, deleting shadow copies, and finally encrypting/wiping files.
### Advanced Features
- **Ransomware-as-a-Service (RaaS) Model:** Operates a flexible affiliate program with negotiable revenue splits: 80% for the affiliate on ransomware payments, 60-40 split for data extortion, and 50-50 split for access sales.
- **Double Extortion:** Leverages both encryption/destruction and data extortion capabilities to maximize pressure on victims.
- **Naming Confusion Disclaimer:** The threat actors explicitly noted that this strain is *not* linked to the legacy Android banking trojan or the Python-based backdoor used by the FIN7 group, despite having the same name ("Anubis").
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context, though it modifies extensions after encryption]
- Registry Keys: [Not provided in the context]
- Network Indicators: [Not provided in the context]
- Behavioral Indicators:
- Execution of commands/parameters to delete volume shadow copies.
- File size modification to 0 KB for targeted files via 'wipe mode'.
- Communication related to affiliate program monetization (extortion/access sales).
## Associated Threat Actors
- Threat Actors operating the Anubis RaaS infrastructure (Affiliates).
- The article mentions FIN7 (GrayAlpha) concurrently delivering a *different* backdoor, but explicitly states Anubis has *no ties* to the FIN7 group mentioned in coordination with that other backdoor delivery.
## Detection Methods
- Signature-based detection: [Not provided in the context]
- Behavioral detection: Monitoring for attempts to delete Volume Shadow Copies (`vssadmin delete shadows /all`). Monitoring for processes aggressively setting file sizes to zero across multiple user-facing file types.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **Email Security:** Implement robust measures against phishing to block initial access vectors (T1566).
- **Backup and Recovery:** Maintain offline, immutable, and regularly tested backups, as file wiping minimizes the effectiveness of standard recovery methods.
- **Access Control:** Implement Principle of Least Privilege to limit an adversary's window for privilege escalation.
- **System Hardening:** Ensure that mechanisms for shadow copy deletion are monitored or restricted where possible (though administrative function, excessive use can signal malicious activity).
- **Segmentation:** Limit lateral movement post-breach.
## Related Tools/Techniques
- Sphinx (Potential predecessor name).
- Other Ransomware strains employing data destruction (Wipers).
- NetSupport RAT (Mentioned in context regarding FIN7, but not directly delivered by Anubis).
- Python-based backdoor (Used by FIN7, distinct from Anubis ransomware).