Anubis ransomware explained: The dual-threat strain targeting your data

Ransomware is evolving at an alarming pace, both in terms of tactics and technology. Just a few years ago, attacks followed a relatively simple routine: cybercriminals would encrypt data and demand a ransom. This left the victims with a choice of whether to pay for the decryption key or try to battle on without their lost data.

Modern ransomware groups have switched from single extortion approaches to a multi-extortion model. This means combining encryption with data exfiltration. If a target refuses to pay a ransom under this strategy, the hackers leverage the stolen data by threatening to leak it.

Now, there is a new risk for organisations to contend with.

What is Anubis ransomware?

Anubis is a Ransomware-as-a-Service (RaaS) operation that emerged in December 2024. In just six months, it has already claimed a string of successes around the world, ranging from healthcare and education organisations to hospitality and construction firms.

Anubis utilises a dual-threat attack model:

• File encryption: Using strong asymmetric encryption, Anubis appends a .anubis extension to targeted files, rendering them inaccessible without the decryption key.
• Wipe mode: A rarer and more destructive feature known as ‘wipe mode’ reduces files to zero bytes while preserving their names in directory listings. Activated via the /WIPEMODE command-line parameter, this feature ensures that even if a ransom is paid, data recovery is impossible.

This lethal combination of functionalities raises the stakes for victims. As well as dealing with encrypted files, businesses also face the prospect of irrevocable data loss.

How does an Anubis ransomware attack unfold?

Anubis infections typically follow a familiar ransomware kill chain, but with dangerous refinements:

• Initial access: Operators often deploy spear-phishing emails containing malicious attachments or links to download Anubis payloads.
• Privilege escalation & reconnaissance: Once inside, the malware escalates privileges, disables key Windows services (including Volume Shadow Copy), and maps network shares to maximise data disruption.
• Deployment of dual payload: The ransomware module encrypts files first. If the affiliate chooses, the wipe module can then obliterate file contents across the environment.
• Extortion & negotiation: Affiliates present a ransom note threatening both public data leakage and permanent destruction, leveraging the fear that victims cannot recover by any means if they refuse to pay.

Why traditional backups aren’t enough

Conventional backup strategies often depend on on-site storage or snapshots stored within the same network perimeter. With Anubis, these can be compromised or wiped along with the rest of your data. Once Anubis gains administrative privileges, it can traverse backup repositories, delete Volume Shadow Copies, and corrupt local snapshots.

This threat underscores the urgent need for off-site, immutable backups that remain beyond the reach of ransomware actors.

Best practices to fortify defences

Ransomware has evolved from a blunt, disruptive tool into a highly coordinated and adaptive threat. To keep up, organisations should adopt a multi-layered security posture:

• Network segmentation: Restrict lateral movement by segregating critical systems and backup repositories.

• Least privilege access: Limit administrative rights to only those users and systems that require them.

• Multi-factor authentication (MFA): Enforce phishing-resistant MFA across all remote and privileged accounts.

• Regular security training: Educate employees on identifying and reporting phishing attempts.

• Penetration testing: Continuously evaluate resilience against emerging ransomware techniques.

How Redstor helps stop Anubis

Redstor’s data management platform is designed to counter modern ransomware threats like Anubis. Here’s how:

Immutable, off-site backups

• Backups are stored in a secure, geographically redundant cloud environment, isolated from customer networks.
• Immutable retention policies guarantee that backed-up data cannot be altered or deleted for the duration of the retention window.

Continuous data protection

• Redstor captures file changes in near real-time, ensuring minimal data loss.
• Should Anubis strike, organisations can restore to a point in time prior to the attack, sidestepping encrypted or wiped versions.

Rapid recovery & granular restoration

• With InstantData™, users can stream individual files or entire systems in seconds, significantly reducing downtime and maintaining business continuity.
• Backup copies can be recovered as virtual machines to maintain critical operations during remediation.

Malware detection

• Redstor detects anomalous file access patterns, such as mass encryption or deletion, and triggers proactive alerts.
• Early detection allows users to isolate infected endpoints before the wipe module is deployed.

Compliance & audit reporting

• Detailed audit logs and compliance reports help organisations demonstrate adherence to industry regulations and internal policies.
• In the event of an incident, clear forensic trails support both remediation efforts and any necessary regulatory notifications.

Step up your cyber resilience

Anubis represents a significant escalation in the sophistication of ransomware. By combining encryption with irreversible data wiping, victims face the unenviable choice of paying a ransom and hoping for the best or suffering permanent data loss.

Redstor’s backup and recovery solutions step up where traditional fall short. Partner with Redstor today to ensure your data remains safe, recoverable, and beyond the reach of cybercriminals.