A newly discovered ransomware strain, known as “Anubis,” is turning heads in the cybersecurity world. Unlike conventional ransomware that solely encrypts data, Anubis poses a dual threat by also having the capability to permanently erase files if ransom demands are not met—prompting cybersecurity researchers at Trend Micro to label it a “dual threat.”
This malware started popping up in late 2024, and it’s already been spotted hitting targets across several countries: the U.S., Canada, Peru, and Australia. It has been targeting organizations in the healthcare, construction, and hospitality sectors—industries that rely heavily on constant access to data.
What makes Anubis different from older ransomware is its deployment model. Rather than being operated by a single group, it’s part of a ransomware-as-a-service (RaaS) operation. This structure enables criminal affiliates to get up to 80% of the ransom if successful. And that’s not the only way to profit—there are additional kickbacks for selling stolen data or granting paid access to breached systems.
Interestingly, early versions of the malware used the name “Sphinx” before rebranding. This version appears to be more aggressive. Its attack chain is mounted by phishing emails as the initial access vector that contains malicious attachments. Once a user is tricked into clicking, the malware spreads, escalates privileges, and disables backup recovery options.
Among its most alarming capabilities is a feature referred to by researchers as the /WIPEMODE command. This function completely erases the contents of targeted files, leaving behind only the file name and extension—creating the illusion that the data remains intact. In reality, the files are reduced to empty 0 KB shells with no possibility of recovery.
Trend Micro’s report also revealed Anubis attempts to change system settings, shuts down key processes, and even replaces desktop backgrounds with ransom notes. To make matters worse, the attackers maintain a dark web “leak site” where stolen data is posted unless victims comply.
To defend against such attacks, experts recommend storing backups offline, enforcing multi-factor authentication, and conducting regular staff training to spot phishing.
Though it’s not tied to other malware with similar names (such as the Android trojan or FIN7 tools), Anubis signals a broader trend: ransomware groups are evolving, using fear and destruction to push victims into paying faster.
And with at least seven confirmed victims already, this new strain proves the stakes in cybercrime are only getting higher.
