An emerging ransomware strain now incorporates capabilities to both encrypt files and permanently erase them, marking what researchers describe as a “rare dual-threat.”
Trend Micro researchers Maristel Policarpio, Sarah Pearl Camiling, and Sophia Nilette Robles explained in a report published last week that the ransomware features a “wipe mode,” which permanently erases files and renders recovery impossible, even after paying the ransom.
The ransomware-as-a-service (RaaS) operation, called Anubis, became active in December 2024. Since then, it has claimed victims in the healthcare, hospitality, and construction sectors across Australia, Canada, Peru, and the U.S. Early trial samples indicate that developers initially named the ransomware “Sphinx” before rebranding it as Anubis in the final version.
Importantly, this e-crime crew shares no connections with either the Android banking trojan or the Python-based backdoor bearing the same name. The latter belongs to the financially motivated FIN7 (also known as GrayAlpha) group.
Moreover, Anubis runs a flexible affiliate program, offering negotiable revenue splits and supporting additional monetization paths such as data extortion and access sales, according to Trend Micro.
The affiliate structure allocates 80% of the ransom payment to participating actors. In contrast, the ransomware’s data extortion and access monetization schemes offer a 60-40 and 50-50 split, respectively.
Typically, Anubis operators launch attack chains through phishing emails to gain initial access. They then escalate privileges, perform reconnaissance, and proceed to delete volume shadow copies before encrypting files. If needed, they also wipe the files.
As a result, the files shrink to 0KB in size, although the attackers leave file names and extensions untouched. This tactic makes recovery impossible and, consequently, increases pressure on victims to comply with ransom demands.
The researchers emphasized that the ransomware leverages a wiper feature using the /WIPEMODE parameter, which enables it to permanently destroy file contents and block any recovery attempt.
Its combined ability to encrypt and irreversibly wipe data drastically raises the stakes for victims, thus intensifying the coercive power behind the attack — a hallmark of more aggressive ransomware operations.
Meanwhile, the discovery of Anubis’ destructive tactics coincides with a report from Recorded Future that details new infrastructure tied to the FIN7 group. This infrastructure impersonates legitimate software products and services in campaigns that aim to distribute the NetSupport remote access trojan (RAT).
Over the past year, the Mastercard-owned threat intelligence firm observed three distinct distribution vectors: bogus browser update pages, fake 7-Zip download sites, and TAG-124 (also known as 404 TDS, Chaya_002, Kongtuke, and LandUpdate808), all used to deliver the malware.
The fake browser update pages load a custom loader known as MaskBat to deploy the RAT. In comparison, the other two vectors use a separate custom PowerShell loader called PowerNet to decompress and execute the malware.
Recorded Future’s Insikt Group noted that MaskBat shares similarities with FakeBat but includes obfuscation and strings linked to GrayAlpha. Although all three vectors operated concurrently, only the fake 7-Zip download sites remained active at the time of writing. The group continued to register new domains as recently as April 2025.
Source: TheHackerNews
Read more at Impreza News
