Extremely dangerous ransomware appears, wiping out data even though the victim has paid the ransom

As cyberattacks continue to increase in sophistication and impact, a new type of ransomware has been discovered with unprecedented data-destroying capabilities, causing concern among cybersecurity experts.

Dubbed Anubis, the ransomware has a special “delete mode” that allows it to not only encrypt files but also permanently delete their contents, making recovery impossible even if the victim pays the ransom.

According to a new report published by researchers Maristel Policarpio, Sarah Pearl Camiling, and Sophia Nilette Robles from security firm Trend Micro, Anubis is part of a growing ransomware-as-a-service (RaaS) model.

The first Anubis attack campaign was recorded in December 2024, targeting key sectors such as healthcare, hospitality and construction in countries such as Australia, Canada, Peru and the US.

Initially, the ransomware was codenamed Sphinx, but was later changed to Anubis, after an Egyptian god associated with death and the afterlife, which partly reflects the intention of “not reviving” victim data after being attacked.

It's worth noting that the Anubis ransomware has no connection to the Android banking trojan or Python-based backdoor of the same name, which is believed to be the work of the FIN7 hacker group (also known as GrayAlpha).

This helps differentiate Anubis from other attack campaigns, while also demonstrating the increasing complexity of today's malware ecosystem.

One of the reasons why Anubis is so dangerous is because of its sophisticated and organized operating model. According to Trend Micro, the Anubis development team runs an open affiliate program where partners can join and share profits at specific rates.

Specifically, affiliate actors will receive up to 80% of the ransom if the victim pays, a much more attractive split than typical ransomware groups. In addition, the group supports additional monetization options such as selling access to the victim's system (split 50-50) or extorting data separately (split 60-40).

This model allowed Anubis to rapidly expand its network and influence, attracting many small cybercriminal groups to join, similar to how software-as-a-service (SaaS) platforms in the technology industry operate.

Attack process and data destruction capabilities

Anubis’ attack chain begins with a phishing email, a method that is all too familiar but still extremely effective. When the victim carelessly opens an attachment or clicks on a malicious link, malware is downloaded and installed on the system.

Anubis then performs classic attack steps such as elevating access, scanning the system, deleting backups, and finally encrypting important files.

However, what is particularly dangerous is the ability to erase the entire contents of a file, reducing the file size to 0 KB while retaining its original name and format. This not only fools data recovery tools, but also leaves the victim unaware of the extent of the damage until it is too late.

“This ransomware supports the /WIPEMODE parameter, which allows for permanent deletion of file contents, making recovery impossible even with professional tools,” the researchers said.

The data-destroying nature of Anubis is not simply destructive, but also a psychological tactic to increase pressure on victims to pay the ransom as soon as possible.

“The permanent data deletion feature severely increases the risk and pressure to force victims to comply with ransom demands, a tactic carefully designed to eliminate resistance,” Trend Micro said.

The emergence of Anubis marks a dangerous step forward in the world of ransomware, where cybercriminals do not just stop at encrypting data, but can also permanently delete them, making the damage immeasurable.

Therefore, raising security awareness, regularly updating software and periodically backing up data are things that cannot be taken lightly by any individual or organization.