An emerging ransomware strain has been discovered incorporating capabilities to encrypt files as well as permanently erase them, a development that has been described as a “rare dual-threat.”
“The ransomware features a ‘wipe mode,’ which permanently erases files, rendering recovery impossible even if the ransom is paid,” Trend Micro researchers Maristel Policarpio, Sarah Pearl Camiling, and Sophia Nilette Robles said in a report published last week.
The ransomware-as-a-service (RaaS) operation in question is named Anubis, which became active in December 2024, claiming victims across healthcare, hospitality, and construction sectors in Australia, Canada, Peru, and the U.S. Analysis of early, trial samples of the ransomware suggests that the developers initially named it Sphinx, before tweaking the brand name in the final version.
It’s worth noting that the e-crime crew has no ties to an Android banking trojan and a Python-based backdoor of the same name, the latter of which is attributed to the financially-motivated FIN7 (aka GrayAlpha) group.
“Anubis runs a flexible affiliate program, offering negotiable revenue splits and supporting additional monetization paths like data extortion and access sales,” the cybersecurity company said.
The affiliate program follows an 80-20 split, allowing affiliate actors to take 80% of the ransom paid. On the other hand, data extortion and access monetization schemes offer a 60-40 and 50-50 split, respectively.
Attack chains mounted by Anubis involve the use of phishing emails as the initial access vector, with the threat actors leveraging the foothold to escalate privileges, conduct reconnaissance, and take steps to delete volume shadow copies, before encrypting files and, if necessary, wipe their contents.
This means that the file sizes are reduced to 0 KB while leaving the file names or their extensions untouched, making recovery impossible and, therefore, exerting more pressure on victims to pay up.
“The ransomware includes a wiper feature using /WIPEMODE parameter, which can permanently delete the contents of a file, preventing any recovery attempt,” the researchers said.
“Its ability to both encrypt and permanently destroy data significantly raises the stakes for victims, amplifying the pressure to comply — just as strong ransomware operations aim to do.”
The discovery of Anubis’ destructive behavior comes as Recorded Future detailed new infrastructure associated with the FIN7 group that’s being used to impersonate legitimate software products and services as part of a campaign designed to deliver NetSupport RAT.
The Mastercard-owned threat intelligence firm said it identified three unique distribution vectors over the past year that have employed bogus browser update pages, fake 7-Zip download sites, and TAG-124 (aka 404 TDS, Chaya_002, Kongtuke, and LandUpdate808) to deliver the malware.
While the fake browser update method loads a custom loader dubbed MaskBat to execute the remote access trojan, the remaining two infection vectors employ another custom PowerShell loader dubbed PowerNet that decompresses and executes it.
“[MaskBat] has similarities to FakeBat but is obfuscated and contains strings linked to GrayAlpha,” Recorded Future’s Insikt Group said. “Although all three infection vectors were observed being used simultaneously, only the fake 7-Zip download pages were still active at the time of writing, with newly registered domains appearing as recently as April 2025.”
