Anubis is a recently identified ransomware-as-a-service (RaaS) campaign active since December 2024. It distinguishes itself by combining traditional ransomware encryption with a destructive 'wipe mode' that irreversibly deletes files, preventing recovery even if victims pay the ransom. The ransomware employs spear-phishing emails as the primary initial access vector, targeting users with tailored messages to deliver malicious payloads. Once inside a system, Anubis executes commands via command-line interfaces, escalates privileges to gain higher system control, and deletes shadow copies to hinder recovery efforts. Its encryption mechanism uses the Elliptic Curve Integrated Encryption Scheme (ECIES), similar to the EvilByte/Prince ransomware family, providing strong cryptographic protection of victim files. The group operates a flexible affiliate program with negotiable revenue splits and supports multiple monetization strategies, including data extortion and selling access to compromised networks. Anubis has targeted multiple sectors such as healthcare and construction, with known victims primarily in Australia, Canada, Peru, and the United States. The ransomware’s tactics, techniques, and procedures (TTPs) include spear-phishing (T1566), command-line execution (T1059), privilege escalation (T1134.002), shadow copy deletion (T1490), and file encryption (T1486), reflecting a sophisticated and multi-faceted attack chain designed to maximize impact and complicate remediation.

For European organizations, the emergence of Anubis presents a significant threat, particularly to critical sectors like healthcare and construction, which are vital to national infrastructure and economic stability. The ransomware’s dual capability to encrypt and irreversibly wipe files increases the risk of permanent data loss, potentially causing prolonged operational downtime, loss of sensitive information, and severe financial damage. The deletion of shadow copies further complicates recovery efforts, potentially forcing organizations to rely on offline backups. The flexible affiliate model and additional monetization paths suggest that the ransomware could rapidly expand its reach, increasing the likelihood of attacks within Europe. Given the use of spear-phishing, organizations with large user bases or less mature email security controls are at heightened risk. The impact on confidentiality, integrity, and availability is substantial, as data destruction and encryption can lead to loss of trust, regulatory penalties (especially under GDPR), and disruption of essential services. The healthcare sector is particularly vulnerable due to the critical nature of patient data and services, where downtime can directly affect patient safety.

European organizations should implement targeted measures beyond standard ransomware defenses. First, enhance spear-phishing detection by deploying advanced email filtering solutions that incorporate machine learning to identify and quarantine suspicious messages, and conduct regular, scenario-based phishing awareness training tailored to evolving tactics. Second, implement strict privilege management policies, including the use of least privilege principles and regular audits of administrative accounts to prevent privilege escalation. Third, ensure robust and isolated backup strategies that include immutable backups and offline copies to mitigate the impact of shadow copy deletion and wiping. Fourth, deploy endpoint detection and response (EDR) tools capable of detecting command-line abuse and unusual process behaviors indicative of ransomware execution. Fifth, apply network segmentation to limit lateral movement and restrict access to critical systems. Finally, establish incident response plans that specifically address ransomware with wiping capabilities, including rapid containment and forensic analysis procedures.