Anubis: A New Ransomware Threat
Summary:
Researchers at KELA have uncovered activity belonging to a group named Anubis Ransomware. Anubis has an official X account which suggests they have been active since at least November 2024. At the time of writing, KELA observed representatives of Anubis on both RAMP and XSS, and the users’ posts were written in Russian. They employ a double extortion and ransomware-as-a-service (RaaS) model, alongside affiliate programs that monetize data ransomware and initial access as part of their operation scheme.
They offer three different kinds of affiliate programs to other cybercriminals that help increase Anubis’ revenue generation. The main affiliate program offers an 80/20 split of the ransom share between the affiliate and the operator that provides the affiliates with the ransomware and likely also provides them with access to the publication of information on the Anubis blog to intimidate victims. The second affiliate program offers cybercriminals a way to monetize sensitive data they have already stolen from companies using Anubis’ assistance, called Anubis Data Ransom. Anubis vouches to retrieve the affiliates’ ransom payment by threatening the breached organization for them in exchange for a 60/40 split of the ransom. To exert maximum pressure, the attackers, after analyzing the stolen data and potentially engaging in negotiations, create a hidden, password-protected "investigative article" based on the compromised information, employ "non-standard methods" to threaten organizations, notify affected parties, regulatory bodies (like GDPR, EDPB, HHS, OPC, ICO, OAIC), and the organization’s clients, and initially publish the article on X before ultimately releasing the full set of data. Their third and final affiliate program offers Initial Access Broker a way to provide corporate access credentials to Anubis in exchange for a 50/50 split of the ransom. Anubis lists their affiliate program and the alleged capabilities of their ransomware in a post on RAMP, as shown in KELA’s article.
Security Officer Comments:
Based on their apparent experience with data extortion and ransomware activities, and their well-written investigative articles on their victims, Anubis appears to be an emerging ransomware threat that is likely comprised of former affiliates of other ransomware groups. The emergence of Anubis highlights the evolving sophistication and diversification within the ransomware landscape. This ransomware threat increases its versatility and reach by offering affiliates multiple business models that can incorporate a variety of niche cybercriminal jobs within the ecosystem.
These affiliate programs have certain caveats to be eligible for them. For example, the stolen data in the Data Ransom program must not already be on the Clearnet or the Darkweb and the breach must be fresh, no older than 6 months ago. The stipulation for the initial access brokers is that they must provide credentials for organizations only in the US, Europe, Canada, or Australia, they must not be entities in the educational, governmental, or non-profit sectors, and the organization must not have been attacked in the past year. The operators’ detailed and informative content across all platforms, including their onion blog, may indicate operators with extensive hands-on experience in ransomware and data extortion. The targeting of healthcare, as seen in their early victimology, is particularly concerning given the sensitive nature of the data and the potential impact on patient care. The group's tactic of creating investigative articles from stolen data adds a new layer of pressure on victims, potentially accelerating the negotiation process. This approach, combined with their multi-platform targeting, suggests a well-organized and resourceful group. Cybersecurity professionals and organizations, especially those in critical sectors, should be aware of Anubis's tactics and ensure robust defenses are in place to mitigate the threat.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://www.kelacyber.com/blog/anubis-a-new-ransomware-threat/
https://www.darkreading.com/cyber-risk/anubis-threat-group-seeks-out-critical-industry-victims
Researchers at KELA have uncovered activity belonging to a group named Anubis Ransomware. Anubis has an official X account which suggests they have been active since at least November 2024. At the time of writing, KELA observed representatives of Anubis on both RAMP and XSS, and the users’ posts were written in Russian. They employ a double extortion and ransomware-as-a-service (RaaS) model, alongside affiliate programs that monetize data ransomware and initial access as part of their operation scheme.
They offer three different kinds of affiliate programs to other cybercriminals that help increase Anubis’ revenue generation. The main affiliate program offers an 80/20 split of the ransom share between the affiliate and the operator that provides the affiliates with the ransomware and likely also provides them with access to the publication of information on the Anubis blog to intimidate victims. The second affiliate program offers cybercriminals a way to monetize sensitive data they have already stolen from companies using Anubis’ assistance, called Anubis Data Ransom. Anubis vouches to retrieve the affiliates’ ransom payment by threatening the breached organization for them in exchange for a 60/40 split of the ransom. To exert maximum pressure, the attackers, after analyzing the stolen data and potentially engaging in negotiations, create a hidden, password-protected "investigative article" based on the compromised information, employ "non-standard methods" to threaten organizations, notify affected parties, regulatory bodies (like GDPR, EDPB, HHS, OPC, ICO, OAIC), and the organization’s clients, and initially publish the article on X before ultimately releasing the full set of data. Their third and final affiliate program offers Initial Access Broker a way to provide corporate access credentials to Anubis in exchange for a 50/50 split of the ransom. Anubis lists their affiliate program and the alleged capabilities of their ransomware in a post on RAMP, as shown in KELA’s article.
Security Officer Comments:
Based on their apparent experience with data extortion and ransomware activities, and their well-written investigative articles on their victims, Anubis appears to be an emerging ransomware threat that is likely comprised of former affiliates of other ransomware groups. The emergence of Anubis highlights the evolving sophistication and diversification within the ransomware landscape. This ransomware threat increases its versatility and reach by offering affiliates multiple business models that can incorporate a variety of niche cybercriminal jobs within the ecosystem.
These affiliate programs have certain caveats to be eligible for them. For example, the stolen data in the Data Ransom program must not already be on the Clearnet or the Darkweb and the breach must be fresh, no older than 6 months ago. The stipulation for the initial access brokers is that they must provide credentials for organizations only in the US, Europe, Canada, or Australia, they must not be entities in the educational, governmental, or non-profit sectors, and the organization must not have been attacked in the past year. The operators’ detailed and informative content across all platforms, including their onion blog, may indicate operators with extensive hands-on experience in ransomware and data extortion. The targeting of healthcare, as seen in their early victimology, is particularly concerning given the sensitive nature of the data and the potential impact on patient care. The group's tactic of creating investigative articles from stolen data adds a new layer of pressure on victims, potentially accelerating the negotiation process. This approach, combined with their multi-platform targeting, suggests a well-organized and resourceful group. Cybersecurity professionals and organizations, especially those in critical sectors, should be aware of Anubis's tactics and ensure robust defenses are in place to mitigate the threat.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://www.kelacyber.com/blog/anubis-a-new-ransomware-threat/
https://www.darkreading.com/cyber-risk/anubis-threat-group-seeks-out-critical-industry-victims