Executive Summary

This report provides a comprehensive analysis of an emerging cybersecurity incident involving the Anubis ransomware. The incident presents a dual-threat mechanism that not only encrypts victim files using advanced cryptographic methods but also permanently wipes file content via the /WIPEMODE parameter, rendering recovery impossible even when a ransom is paid. The affected sectors include healthcare, hospitality, and construction across Australia, Canada, Peru, and the United States. This advisory integrates technical details, threat actor attribution, and impact assessment while offering clear mitigation recommendations to help organizations manage risks.

The Anubis incident is unprecedented in that its dual-threat functionality significantly elevates the stakes compared to traditional ransomware operations that solely encrypt data. The ransomware’s evolution, beginning as Sphinx during its trial phase, now incorporates a feature that permanently deletes file contents by reducing file sizes to 0 KB while preserving the file names and extensions. Technical evidence is supported by trusted reports from Trend Micro (https://www.trendmicro.com/en_us/research/advisories/anubis-ransomware-report.html) and The Hacker News (https://thehackernews.com/2025/06/anubis-ransomware-encrypts-and-wipes.html). We welcome any questions regarding this report or any related issues at ops at rescana.com.

Incident Details

Initial access in the Anubis ransomware incident is predominantly achieved through phishing emails. Malicious attachments and deceptive links lure victims into executing infected executables that bypass endpoint defenses. In this scenario, the campaign leverages social engineering techniques similar to those documented in previous incidents (e.g., MITRE ATT&CK T1566). Once the malware infiltrates the network, it deploys lateral movement techniques such as privilege escalation by exploiting local vulnerabilities or misconfigured permissions. Operators use techniques like process injection, mapped under MITRE ATT&CK T1055, and exploitation for privilege escalation (T1068) to extend access deeper into the network.

Following successful exploitation, the ransomware initiates reconnaissance processes aimed at identifying key files and directories. A notable step in the attack chain involves deleting volume shadow copies, which are backup images of data essential for recovery. This action correlates with the MITRE ATT&CK technique T1562.001 – Impair Defenses: Disable or Modify System Recovery – and substantially reduces the victim’s ability to restore compromised systems post-infection. Additionally, the infection sequence deploys two sophisticated loaders, MaskBat and PowerNet. MaskBat leverages counterfeit browser update pages to deploy obfuscated code often linked to the financially motivated group FIN7 (also referred to as GrayAlpha) as observed through string analysis. PowerNet, a PowerShell-based loader, decompresses and executes payloads further deepening the attack chain. These components are well-documented in security research from Recorded Future (https://www.recordedfuture.com/anubis-ransomware-FIN7-infrastructure) and BleepingComputer (https://www.bleepingcomputer.com/news/security/anubis-ransomware-dual-threat-analysis).

The final stages of the attack involve a dual-threat execution where the malware encrypts files using robust encryption algorithms, likely an advanced variant of AES, while simultaneously invoking the /WIPEMODE parameter. This command permanently wipes file contents, reducing each file to 0 KB, yet leaves the names and extensions intact. This irreversible wiping mechanism distinguishes Anubis from traditional ransomware variants that merely encrypt data for leverage in ransom negotiations. Detailed technical information and profiling on this mechanism can be traced back to the original reporting by The Hacker News (https://thehackernews.com/2025/06/anubis-ransomware-encrypts-and-wipes.html) and further validated by Trend Micro.

Affected products potentially include compromised systems running various Windows operating systems (e.g., Windows 10, Windows Server 2019) and vulnerable application versions where unpatched privilege escalation vulnerabilities exist. Although specific product versions are not exhaustively detailed in initial reporting, the general environment likely includes systems with outdated security patches, misconfigurations in Microsoft Active Directory implementations, and network edge devices running legacy operating systems. Version details might cover Microsoft Exchange Server 2016 or earlier, and endpoint protection solutions that have not been updated to detect advanced obfuscation techniques as employed by MaskBat and PowerNet.

Threat Actor Analysis

The campaign is orchestrated under a ransomware-as-a-service (RaaS) model, facilitating a flexible affiliate program where revenue splits can vary as high as 80-20 for ransom payments. This affiliate approach indicates a revenue-focused, organized financial motivation. While there has been historical confusion with similarly named malware, such as an Android banking trojan and a Python-based backdoor under the FIN7/GrayAlpha moniker, technical and behavioral differences confirm that Anubis is a separate operation. Reported analysis by Trend Micro and cross-referenced evidence from Recorded Future suggest operational parallels, especially through the use of bogus software update sites to deploy the NetSupport RAT, yet highlight that the ransomware group operates independently.

The identified threat actors exhibit advanced capabilities in utilizing phishing as an entry point, lateral movement through misconfiguration exploitation, and expert deployment of custom loaders. Techniques like process injection and deliberate deletion of shadow copies illustrate a deep technical proficiency aimed at both encrypting data for extortion and ensuring permanent data destruction. These operators are leveraging operational infrastructure that includes fake 7-Zip download sites and browser update mimicry, enhancing the effectiveness and reach of their campaigns. While attribution to a specific Single APT group remains inconclusive, the operational methodologies link them to existing financially motivated groups such as FIN7, though with modifications that suit the ransomware's expanded dual-threat capabilities.

The distribution channels for Anubis include recently registered domains with activity noted as recently as April 2025. These domains are often ephemeral and may be hosted using compromised or newly acquired resources, further complicating attribution measures. Observations indicate that the threat actors have honed their operational security to avoid detection by continuously evolving their code signatures and obfuscation techniques. This operational resiliency makes it imperative for organizations to heavily invest in adaptive defense mechanisms and rapid threat intelligence sharing. The group’s methodical removal of recovery options by wiping volume shadow copies and other backup solutions necessitates a reevaluation of current incident response protocols.

Impact Assessment

The immediate business impact of the Anubis ransomware is severe, particularly for organizations operating in critical sectors such as healthcare, hospitality, and construction. The encryption of files paired with irreversible wiping means that even after paying a ransom, data recovery is typically not feasible, leading to prolonged operational downtimes and potentially catastrophic financial losses. Data critical to operational continuity is permanently lost along with sensitive organizational information, which may result in compliance violations and severe reputational damage.

The dual-threat functionality increases leverage for threat actors as victims, faced with the loss of crucial backup data and evidence, are forced to confront the reality that even recovery processes may not restore essential data structures. The lack of data restoration possibilities significantly reduces the effectiveness of traditional cyber insurance claims, as incident recovery expenses escalate dramatically. Further, in environments where outdated automated backup procedures and unpatched privileging shortfalls exist, the risk category escalates from a medium threat to a critical one.

In terms of specific exploitation in the wild, incidents involving Anubis have shown indicators of compromise (IOCs) such as file size anomalies (files reduced to 0 KB), unusual PowerShell execution logs indicating the use of PowerNet, and unexpected network traffic patterns corresponding to MaskBat loader activities. These markers serve as tangible indicators for incident responders, and early detection using advanced endpoint detection and response systems is paramount. The affected products or services include systems running potentially vulnerable versions of Microsoft Windows, where exploitation of privilege escalation flaws has been documented, further threatening both industry-specific environment security and broader IT infrastructures.

Furthermore, critical data such as patient records within the healthcare sector or proprietary construction project details are at high risk, calling for immediate regulatory and internal security review processes. For organizations with critical infrastructure dependencies, the tactical evolution seen in Anubis necessitates comprehensive network segmentation and rigorous data backup protocols that are isolated from core network resources. Mitigation steps based on this analysis highlight the severity of the threat, and the risks must be effectively communicated to decision-makers to prioritize remediation efforts.

Recommendations

Immediate action is critical in mitigating the threat posed by Anubis ransomware. Organizations are advised to implement multi-factor authentication across all network access points and enforce stringent email filtering policies to reduce the effectiveness of phishing campaigns. Critical vulnerabilities, especially those leading to privilege escalation on systems such as Microsoft Active Directory, must be prioritized and patched without delay. Backup solutions should be physically isolated, ensuring that even if the primary network is compromised, backup data remains secure and is regularly tested for integrity.

Detection mechanisms should be bolstered through the deployment of advanced endpoint detection and response (EDR) systems configured to flag anomalous PowerShell activities and process injection techniques as seen with PowerNet. Organizations should also monitor network traffic for any signs of connection to suspicious domains associated with MaskBat or other malicious infrastructure. Regular security audits assessing the effectiveness of current email security gateways and simulated phishing exercises can further highlight internal vulnerabilities.

In the medium term, technical teams should develop incident response plans that include out-of-band communication channels and ensure that there is a clear, documented process for escalating ransomware events. Organizations are encouraged to work with third-party cybersecurity professionals to conduct comprehensive vulnerability assessments, specifically focusing on configurations that may allow shadow copy deletion, a critical action observed in this incident. Employee training in recognizing phishing techniques and social engineering tactics should be intensified.

Additionally, enhanced logging and monitoring infrastructures must be activated, ensuring that any deviations from baseline network behavior are detected in near real-time. Strategic threat intelligence services should be utilized to maintain an updated list of IOCs, including file size anomalies and unexpected deletion logs, which can aid in the early detection and containment of further malicious activities. Critical recommendations include immediate isolation of infected systems, comprehensive post-incident forensic analysis, and the reevaluation of backup protocols to include immutable storage protocols.

Organizations must consider a layered security approach that encompasses both preventive and reactive measures. This includes deploying intrusion prevention systems, hardening system configurations, and validating that remote access channels are securely encrypted and monitored. Given the evolving nature of ransomware operations exemplified by Anubis, maintaining current threat intelligence feeds is also essential to adapt defenses promptly.

References

The technical details and threat assessments referenced in this report are supported by high-confidence sources including The Hacker News at https://thehackernews.com/2025/06/anubis-ransomware-encrypts-and-wipes.html, Trend Micro’s advisory available at https://www.trendmicro.com/en_us/research/advisories/anubis-ransomware-report.html, Recorded Future’s analysis accessible at https://www.recordedfuture.com/anubis-ransomware-FIN7-infrastructure, and further insights documented by BleepingComputer at https://www.bleepingcomputer.com/news/security/anubis-ransomware-dual-threat-analysis. It is imperative that organizations continuously review these sources and similar trusted publications for latest countermeasure updates.

About Rescana

Rescana assists customers by providing robust Third Party Risk Management (TPRM) solutions that help organizations systematically assess and manage cascading risks from vendor relationships and cybersecurity vulnerabilities. Our platform simplifies continuous monitoring of cybersecurity threats, enables timely risk evaluations, and facilitates the prioritization of mitigation plans based on severity. We help organizations make informed decisions by delivering actionable intelligence and performance metrics that are critical in protecting operational continuity during cyber incidents such as this. We are happy to answer any questions you might have about the report or any other issue at ops at rescana.com.