Anubis, a ransomware-as-a-service (RaaS) operation, has just become even more dangerous. Now its malware not only encrypts the victim's files, but also completely destroys them, making it impossible to recover them, even if the ransom is paid.
Note that we are not talking about the Anubis that affects Android, but a different threat with the same name. This Anubis first appeared in December 2024 and, although it went somewhat unnoticed at first, it began to gain momentum at the beginning of this year.
In fact, on February 23, 2025, those responsible for the ransomware announced an affiliate program on the RAMP forum, seeking to expand their reach by adding new accomplices.
A more aggressive strategy: High rewards and total file destruction
At the time, it became known that the creators of this ransomware offered a rather tempting distribution system to attract collaborators: those responsible for infecting received up to 80% of the profits, while those who focused on data extortion took 60%. Even those who only offered initial access to compromised networks could earn 50%.
Today, Anubis' extortion page on the dark web shows only eight victims, but everything points to them revving their engines. The number of attacks is likely to increase as more people trust their technology and new “affiliates” join.
And speaking of its technical evolution, it was recently discovered that Anubis is incorporating new features. One of the most disturbing is a tool that completely deletes files, beyond encryption. In other words, if someone tries to negotiate or simply decides to ignore the threat, the malware can activate a total destruction mode that makes it impossible to recover the files, even if the ransom is paid.
This feature was detected in the latest versions of the ransomware, and everything indicates that it is a strategy to put even more pressure on victims, speeding up payments and avoiding lengthy negotiations.
What really sets Anubis apart from other similar groups is precisely this: its ability to delete everything without leaving a trace, as a final blow that ruins any attempt at recovery.
This aggressive behavior is activated with a special command (“/WIPEMODE”) that also requires a key to function, suggesting that it is used in a controlled and deliberate manner when they want to send a clear message: there are no second chances.
Anubis cleaning mode (Source: Trend Micro)
When activated, this “cleaner” does a silent but devastating job: it completely erases the contents of files, leaving them empty, with a size of 0 KB. However, the file names and folder structure remain the same, as if nothing had happened.
From the outside, everything appears to be in place. But when the victim tries to open one of those files... they realize that there is nothing inside. And worse still: there is no way to recover what has been lost.
Files before encryption (top) and after (bottom)
Read more: Ransomware in May 2025: SafePay and DevMan as Main Threats
How does Anubis work behind the scenes?
When analyzing how Anubis works, it was discovered that it accepts several commands when launched, such as elevating privileges, excluding certain folders from the attack, or defining exactly which files it will encrypt.
Interestingly, it avoids touching critical system folders or important programs. The reason? If the system becomes completely unusable, the victim would not be able to see the ransom message or pay, which is not in their best interest.
It also deletes system backups (called volume shadows) and closes any processes or services that might get in the way while it encrypts the files.
The encryption it uses is quite sophisticated: a scheme called ECIES, based on elliptic curves. According to experts, its implementation is very similar to that of other known ransomware such as EvilByte and Prince.
Once the files are encrypted, it adds the extension “.anubis,” leaves a ransom note in HTML format in each affected folder, and even attempts to change the desktop background... although that last attempt usually fails.
Anubis Ransomware Ransom Note
Anubis attacks have been found to typically start with something quite common: a phishing email. It arrives with a malicious link or attachment that, if opened by the victim, sets the disaster in motion.
Read more: Why are phishing attacks still working in 2025?
Conclusion: When encryption isn't the worst thing
The Anubis case makes it clear that ransomware no longer plays fair (if it ever did). Before, it was enough to worry about file hijacking and blackmail, but now the threat goes a step further: you can lose everything, even if you decide to pay. With its total wipe feature, Anubis leaves no room for maneuver.
In this scenario, there is no magic solution that will make you 100% invulnerable. But there is something that remains your best lifeline: backups. Having up-to-date and well-protected backups can be the difference between quickly returning to normal or watching years of work vanish in a matter of minutes.
That's why having a reliable solution like TecnetProtect Backup is more than just recommended: it's necessary. This tool uses world-renowned Acronis technology and not only ensures automatic backups, but also includes intelligent anti-ransomware protection, designed to detect and stop attacks before they cause real damage. With TecnetProtect Backup, you can face threats like Anubis with the peace of mind that your data is safe no matter what happens.
