A new and dangerous update has been found in the Anubis ransomware, making it even more harmful than before. Anubis first appeared in late 2024 and has been growing ever since. Now, it has added a feature called “WIPEMODE” that allows it to permanently delete files from a victim’s computer. This means that even if someone decides to pay the ransom, the files might already be gone forever.

Usually, Anubis attacks start through phishing emails. Victims receive fake emails that look trustworthy and are tricked into clicking on a malicious link or downloading an infected file. Once that happens, the ransomware silently installs itself and begins taking control of the system. One of the first things it does is try to gain system-level access, so it can do whatever it wants without any restrictions. Then it removes backup copies of files, these are known as Volume Shadow Copies. They’re normally used to recover lost data, but once deleted, it becomes much harder to get files back.

After that, Anubis starts encrypting the victim’s files using strong encryption known as ECIES. It also renames those files by adding a “.anubis” extension. In normal ransomware attacks, the files are locked but still there, and users are asked to pay money to get a decryption key. But now, if the attackers activate the new /WIPEMODE command, the contents of the files are fully erased. The files remain on the computer by name, but they are reduced to 0 KB in size, meaning they are completely empty. Even if the victim pays the ransom, there’s nothing left to recover.

Cybercriminals are using this new wipe feature as a way to increase pressure on their targets. By threatening to not only lock but also completely destroy files, they’re hoping people will panic and pay up faster. It’s also being seen as a flexible tool for attackers. Some may use traditional encryption and demand a ransom. Others may steal sensitive data and use it to blackmail victims, and now with the wiping option, some attackers might choose to simply cause chaos by deleting everything. The Anubis ransomware is sold as a Ransomware-as-a-Service (RaaS), which means it’s available for rent to other criminals. Depending on how the attack is carried out, the affiliate, the person using the ransomware, can earn different percentages of the ransom. For classic encryption-based attacks, affiliates can keep up to 80% of the money. For wipe-only or data-theft cases, they get slightly less, around 40–50%.

So far, at least seven organizations have been hit with Anubis. These include companies from different sectors like healthcare, construction, engineering, and hospitality. The attacks have been reported in countries such as the United States, Canada, Australia, and Peru. This clearly shows that Anubis is spreading quickly and targeting a wide range of industries and regions.

The most important thing now is protection. Since paying the ransom may no longer guarantee your files will be saved, it’s more important than ever to be prepared. Creating backups regularly, and storing them offline, is one of the best ways to protect your data. Also, limiting admin access, using proper email filtering, keeping systems updated, and educating people about phishing threats can help prevent attacks in the first place. If backups are stored separately and disconnected from the main system, even a ransomware like Anubis can’t touch them.

This new development is a serious warning. Ransomware is no longer just about locking your files, it’s now about potentially losing everything with no way to get it back. Anubis with file-wiping capabilities takes the threat to a whole new level, and staying alert is the only way to stay safe.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news