Full Report
Although many ransomware gangs no longer encrypt victims and focus on exfiltration and extortion, some groups continue to encrypt. Anubis RaaS is one of them. SuspectFile reports that Anubis recently attacked Mid South Pulmonary & Sleep Specialists (MSPS) in Tennessee and was willing to answer some questions from SuspectFile. According to the spokesperson, initial access... Source
Analysis Summary
# Incident Report: Anubis RaaS Extortion and Encryption of MSPS
## Executive Summary
The Anubis Ransomware-as-a-Service (RaaS) group successfully breached Mid South Pulmonary & Sleep Specialists (MSPS) via an undisclosed initial access vector on November 10, 2025. The attackers remained undetected for one week, mapping the network and exfiltrating 860 GB of data, including sensitive PII and PHI. The group ultimately encrypted the victim's Nutanix environment and deleted the decryption key after negotiations failed, leading to a significant data leak of 300 GB.
## Incident Details
- Discovery Date: Not disclosed (Attackers were inside for approximately one week before impacting operations)
- Incident Date: Attack confirmed on November 17, 2025 (one night the attack struck and the network was paralyzed)
- Affected Organization: Mid South Pulmonary & Sleep Specialists (MSPS)
- Sector: Healthcare (Pulmonology and Sleep Specialists)
- Geography: Tennessee, USA
## Timeline of Events
### Initial Access
- Date/Time: November 10, 2025
- Vector: Classified (Attacker stated they obtained initial access to IT systems)
- Details: Attackers gained a foothold and began internal reconnaissance.
### Lateral Movement
- Date/Time: November 10 – November 17, 2025 (Approx. one week)
- Details: Attackers spent time analyzing the business structure, planning the operation, and extracting sensitive data. The attackers characterized the victim as "technically incompetent."
### Data Exfiltration/Impact
- Date/Time: Prior to November 17, 2025
- Details: Attackers exfiltrated 860 GB of data, encompassing administrative records, extensive medical billing documents, and PII/PHI (including SSNs and MRNs).
- Date/Time: Night of November 17, 2025 (Approx.)
- Details: The attackers encrypted “all of MSPS’s Nutanix systems” and paralyzed the entire network.
### Detection & Response
- Date/Time: Post-encryption/Paralysis
- Details: The breach was reported by SuspectFile when they engaged with the threat actors. The victim reportedly did not respond to attacker inquiries regarding negotiations or instructions. The attackers deleted the decryption key after negotiations ceased.
## Attack Methodology
- Initial Access: Undisclosed method; stated they gained initial access on 11/10.
- Persistence: Not explicitly detailed, but indicated by the week-long dwell time prior to execution.
- Privilege Escalation: Not specified, but implied necessary to access sensitive data stores (Nutanix systems).
- Defense Evasion: Not specified, but successful due to a one-week, undetected posture.
- Credential Access: Not specified.
- Discovery: Attackers "thoroughly studied their business, analyzed sensitive data, and planned the operation."
- Lateral Movement: Not specified, but utilized for data exploration prior to impact.
- Collection: 860 GB of data obtained, including PHI, PII, and billing information.
- Exfiltration: 860 GB exfiltrated; 300 GB subsequently leaked publicly by the threat actors.
- Impact: Full network paralysis via encryption of Nutanix systems; data destruction (deletion of decryption key).
## Impact Assessment
- Financial: Not quantified; implied significant recovery and remediation costs due to system paralysis and data loss remediation.
- Data Breach: 860 GB exfiltrated (300 GB leaked), containing highly sensitive patient health information (PHI, diagnoses, SSNs, MRNs) and business/billing records.
- Operational: Total paralysis of network operations, described as the victim being unable to "do anything" even after the encryption event.
- Reputational: MSPS reportedly did not respond to inquiries and has not posted public disclosure on their website, though other breached entities in the sector have faced scrutiny.
## Indicators of Compromise
*Note: No specific IoCs (IPs/Domains) were provided in the source material.*
- Network Indicators: Unknown/Not provided.
- File Indicators: Encrypted Nutanix volumes; presence of extortion/leak notes.
- Behavioral Indicators: Extended dwell time (approx. 7 days) focused on reconnaissance and extensive data collection prior to deploying encryption payload.
## Response Actions
- Containment: Not explicitly stated when containment occurred, but the paralysis phase marks the active impact phase.
- Eradication: Implicitly required through system rebuilds due to the deletion of the decryption key.
- Recovery actions: Victim reportedly abandoned negotiations and remained unable to operate their systems post-attack.
## Lessons Learned
- Encryption remains a viable and destructive tactic, notwithstanding the industry trend toward simple extortion.
- Prolonged dwell time allows ransomware gangs to conduct comprehensive intelligence gathering before execution.
- Poor IT management or potential lack of security maturity (described as "technically incompetent") can significantly worsen the outcome of a breach.
- Failure to engage or comply with threat actor instructions can result in the intentional destruction of recovery mechanisms (deletion of the decryption key).
## Recommendations
- **Strengthen Data Segregation/Backup Strategy:** Implement immutable, offline backups covering critical infrastructure, especially virtualization platforms like Nutanix, ensuring quick recovery without relying on threat actor keys.
- **Enhance Internal Security Posture:** Address technical deficiencies reported by the threat actors to reduce the likelihood of successful long-term compromise.
- **Bolster Monitoring and Detection:** Reduce dwell time by actively monitoring for reconnaissance, data staging, and lateral movement activities, especially across critical environments where PHI is stored.
- **Develop Comprehensive Incident Response Plan:** Ensure clear communication protocols are in place, accounting for potential engagement/non-engagement scenarios with threat actors.