A new, far more destructive chapter has begun for the Anubis ransomware operation. Previously known for encrypting data and extorting victims, the cybercriminals behind Anubis have now introduced a wiper feature. One that makes data recovery virtually impossible, even if the ransom is paid.
This strategic shift marks a dangerous evolution in the ransomware-as-a-service (RaaS) ecosystem and signals a chilling intent: punishment and fear, not just profit.
From Extortion to Destruction
Anubis has operated quietly but steadily since late 2024, offering its malicious services to affiliates through a flexible RaaS model. Until now, it followed the conventional double-extortion playbook. That is, encrypt the victim’s files, steal sensitive data, and demand payment for both decryption and silence.
The new version, however, introduces a /WIPEMODE command-line option. Instead of merely locking files, this function overwrites their contents with zeros, turning them into hollow shells. Filenames and folder structures remain visible, but the files themselves are empty, completely unrecoverable.
Even worse: this isn’t an error or accident. It’s deliberate.
How the Wiper Works
The added wiper functionality is designed with precision. It doesn’t crash the system or erase everything blindly. Instead, it:
- Overwrites the contents of files with zeroes, leaving filenames intact.
- Excludes critical Windows directories to keep the OS bootable (and possibly allow ransomware notes to be read).
- Deletes Volume Shadow Copies to eliminate recovery options.
- Terminates backup, database, and productivity software processes to prevent live file protection.
This makes the system look somewhat functional but renders the data worthless—a clever psychological blow to victims deciding whether to pay.
What’s the Goal?
The motive behind this escalation is clear: pressure. Victims who realize that their data is destroyed beyond recovery are more likely to panic and act quickly.
It’s no longer about giving victims a “way out.” This is punishment for non-compliance or perhaps a message to future targets: we’re not bluffing.
Cybercriminal groups have learned that fear and irreversible damage can drive faster ransom payments. With Anubis, that threat is now very real.
Who’s Being Targeted?
So far, Anubis ransomware operators have named victims in industries like healthcare, engineering, and construction, mostly in the U.S., Canada, Australia, and South America. Its affiliate model offers up to 80% of profits to attackers, making it attractive to a wide range of cybercriminals.
Experts expect the number of victims to grow rapidly as this new version spreads.
What Can You Do?
Backups, Backups, Backups
Make sure you maintain regular offline or immutable backups that ransomware can’t access or erase.
Strengthen Email Security
Phishing remains the most common way ransomware spreads. Train staff and use advanced email filters.
Endpoint Monitoring
Track for unusual processes invoking commands like /WIPEMODE, sudden file modifications, or zero-byte conversions.
Restrict Admin Access
Limit who can modify backups, shadow copies, or critical directories.
Plan for Worst-Case Scenarios
With no recovery option, your incident response plan needs to assume the worst—ransom paid or not, the data may be gone.
Final Thoughts
The rise of Anubis as a hybrid ransomware-wiper threat is a worrying sign of what’s ahead. It reflects a growing trend where cybercriminals are more aggressive, less patient, and more willing to cause irreversible damage.
For organizations, the message is clear: the stakes are no longer about downtime, they’re about total data loss. It’s time to prepare accordingly.
