Anubis ransomware attacks

Ransomware activity has surged, with Bitsight’s State of the Underground 2025 study reporting a 53% increase in ransomware group-operated leak sites and a 25% rise in unique victims in 2024. Among the emerging threats is Anubis ransomware, first detected in November 2024 and potentially linked to Russian-speaking actors.

Anubis ransomware attacks in Anubis ransomware attacks in

Anubis operates on both Android and Windows platforms, utilizing a ransomware-as-a-service (RaaS) model that allows for flexible monetization, including an 80-20 revenue split for standard operations and a 50-50 split for direct extortion. It primarily targets high-value sectors like healthcare and professional services, with confirmed incidents in the U.S., France, Australia, and Peru.

Anubis ransomware attacks Anubis ransomware attacks

The malware spreads through spear-phishing campaigns, delivering malicious payloads via deceptive emails. Once executed, Anubis employs command-line parameters for privilege escalation and lateral movement, while its "wipe mode" can permanently delete files, increasing pressure on victims to pay ransoms.

On Android, Anubis masquerades as a banking trojan, capturing credentials through phishing overlays and employing tactics like screen recording and keylogging. Its Windows variant features advanced capabilities, including access token manipulation and deletion of Volume Shadow Copies to prevent recovery.