The Anubis ransomware-as-a-service (RaaS) campaign delivers a previously known ransomware variant and attractive profit splits with a high-stakes twist—a new module capable of wiping compromised files completely. 

This irreversible data-wiping feature is activated via the /WIPEMODE  command-line parameter, which permanently overwrites files with zero-byte shells, rendering data recovery impossible even if a ransom payment is made.

Anubis changes ransomware’s traditional strategic calculus, creating powerful incentives for motivated threat actors to deploy Anubis in pursuit of lucrative returns. By offering affiliates negotiable terms of 80 percent of profits from ransoms paid, paired with the threat of the total loss of sensitive data, compromised organizations feel pressure to swiftly pay a ransom for the return of stolen data.

Given enhanced incentives for threat actors to deploy ransomware in the flavor of Anubis, IT and security teams should prioritize the deployment of native immutability and logical air gap capabilities to counter Anubis's efforts to encrypt, wipe, or compromise backup data.

Anatomy of Anubis

The variant was first observed in December 2024 and has since been advertised on the popular ransomware forum RAMP by Russian-speaking threat actors. Anubis has a broad targeting scope, claiming victims across several critical sectors including healthcare, hospitality, construction, and engineering. Geographically, attacks have been observed in the U.S. Australia, Canada, and Peru.

Table 1: Anubis Ransomware Technical Capabilities Summary

Strategic intent

When Anubis’s /WIPEMODE module is activated, files remain in directories but are reduced to a 0 KB size regardless of ransom payment. Knowing threat actors can revert victims’ environments to this scorched-earth state with a single command significantly increases pressure on victims to pay before the wiper is fully activated.

While this tactic may at first seem to undermine the “carrot” traditionally dangled by ransomware actors—decryption keys that allow a victim to recover their data—wiper ransomware purveyors add pressure in other ways. They can threaten the public release of stolen data (opening up double-extortion opportunities). They also increase their appeal to hacktivists and other actors who prioritize sabotage and disruption over financial gain. 

Anubis therefore highlights the importance of considering broader business impact—reputational damage, regulatory fines, and potential supply chain disruption—over straightforward data recovery. To most effectively combat extortion, organizations must prioritize sensitive data discovery and exfiltration prevention as highly as, if not more than, malicious encryption prevention.

While wiper malware has historically been associated with cyberespionage or nation-state-sponsored attacks aimed at causing maximum disruption or sabotage, the Anubis RaaS model also offers flexible monetization models designed to appeal to a wider range of threat actors. For instance, negotiable revenue splits like an 80% share for affiliates in traditional ransomware deployment, 60% for data ransom operations, and 50% for initial access programs appeal to cybercriminals ranging from pure-play cybercrime cartels to more niche brokers.

Mitigation recommendations

Attackers understand that crippling an organization's ability to recover from backups significantly increases the odds of a ransom payout. Therefore, a critical aspect of the Anubis group's methodology involves direct targeting of backup systems like Volume Shadow Copies (VSS) and conducting network reconnaissance to identify and compromise strategic files and connected backups including critical data repositories such as databases, enterprise resource planning (ERP) systems, virtual machines, and RAID systems.

Anubis actively maps backup environments to ensure recovery is as difficult as possible. This means traditional backup solutions relying on standard network protocols (e.g., NFS, SMB) or that are easily discoverable and writable from a compromised production environment are insufficient. The emphasis must shift to solutions that inherently isolate and protect backups from the compromised production network.

Effective, modern backup and recovery capabilities require:

• Native immutability: A “write once, read many" (WORM) principle guarantees a clean, unaltered copy of data is always available for recovery. Unlike general-purpose storage that might expose data via standard protocols like NFS or SMB, WORM ensures data integrity.
  
  

• Logical air gap: A purpose-built file system that never exposes backup data via open protocols to the production network provides the best defense against wiping. With this approach, data is not discoverable or accessible over the network by attackers, effectively isolating it from the compromised production environment and reducing the possible attack surface.
  
  

• Zero-trust cluster design: Adherence to zero trust principles further reinforces the immutability and logical air gap by minimizing the attack surface at the operating system level through the use of a minimalist JeOS (Just enough Operating System) Linux Operating System. Certificate signing also continuously validates backup services, ensuring that solutions and identities have not been compromised.
  
  

• Proactive detection and resilient recovery options: For optimal business resilience against threats like those on offer from the Anubis group, organizations should insist on capabilities like fast, granular, and mass recovery options; orchestrated recovery for virtual machines; and even VSS backup snapshots.
  
  

• Insider threat protection: Even with strong controls like MFA and role-based access control (RBAC), the risk of privileged insider threats leading to compromised administrative credentials remains a concern. Gartner has warned that, if not engineered correctly, attackers with compromised credentials could potentially gain access and manipulate immutability retention settings.  Retention lock functionality prevents the premature deletion or modification of snapshots and backup data for a specified duration, protecting against actions like factory resets, SLA modification, and snapshot deletion. Additional practices like quorum authentication require multiple approvals before certain data-modifying or critical systems actions can be performed, reducing the damage a single bad actor can cause.
  
  

Table 2: Anubis Backup Targeting Tactics vs. Available Protection Mechanisms

In safeguarding against ransomware with data-wiping capabilities, IT and teams should also:

• Conduct regular employee phishing training: including drilling on the ability to spot highly targeted spear phishing tactics. The Anubis operation uses highly customized lures, often featuring malicious links and attachments, to appear to come from trusted sources, according to TrendMicro researchers who have studied the group.
  
  

• Implement strict identity and access management: Enforce multi-factor authentication (MFA) for all critical systems, particularly for access to backup infrastructure, and rigorously adhere to least privilege best practices like role-based access control (RBAC). Consider privileged access management (PAM) solutions to manage and secure highly privileged accounts.
  
  

• Actively maintain a cyber recovery playbook: A thorough business continuity and disaster recovery plan should clearly lay out roles and responsibilities of those involved, the data and applications necessary for maintaining a minimum viable business, and be supported by regular drilling via realistic cybersecurity crisis simulations.

   

In short, native immutability and logical air gap capabilities counter Anubis's efforts to encrypt, wipe, or compromise backup data, ensuring clean data sets remain available for recovery. These are critical for informed recovery decisions in wiper scenarios where understanding the scope of damage is paramount to preventing business disruption.