The ransomware-as-a-service (RaaS) operation Anubis has distinguished itself with a data wiping functionality in its malware kit, according to Trend Micro research published last week.
Anubis, a relatively new group to the RaaS scene, appeared last year and quickly established itself with a number of attacks against critical industry victims. The group is also notable for its ransomware affiliate model; Anubis offers affiliates the option of a typical RaaS model with an 80% payout, an option where Anubis helps extort a victim after a data theft attack in exchange for 40% of the total cut, and an option where Anubis helps affiliates extort a victim post-compromise for 50% of the net ransom.
Trend Micro’s latest research shares some tactics, techniques, and procedures (TTPs) of Anubis while showcasing the gang’s “wiping” functionality, enabling affiliates to permanently erase files from a victim’s computer, regardless of whether a ransom is paid.
The Anubis Wiper
Many ransomware groups are known for two types of attacks in 2025. Double extortion attacks, which have gained significant popularity in recent years, unfold with the threat actor both encrypting data on a target’s network while also stealing data under threat of leak. In data theft attacks, attackers steal data (skipping the “ransomware” piece entirely) and use that as the main means to extort a ransom payment.
Although Anubis is capable of classic data theft and encryption functionality, the addition of a wiping tool file “severely impact[s] chances of file recovery,” Trend Micro said.
According to the researcher, Anubis gains initial access to the victim through a spear-phishing email. Once access and escalated privileges are confirmed, the ransomware runs a command to delete Volume Shadow Copies on the specified drive, which consist of point-in-time snapshots considered critical for the recovery process.
In addition, Anubis ransomware includes “wipemode,” a function enabling the attacker to permanently delete all the data inside a file, making local recovery impossible. As Trend Micro showed in its research, a file would remain listed in the victim’s directory, but the size would be zero kilobytes.
Why a Data Wiper?
Jon Clay, Trend Micro’s VP of threat intelligence, tells Dark Reading that adding wiper functionality is likely to add an additional extortion vector. Wipemode would “add additional pressure on the victim to pay the ransom through the threat of wiping out data if it is not paid,” Clay says.
Dark Reading asked Clay if the wiper could be a tool to appeal to nation-states as possible customers, such as Russia with its history of destructive attacks against Ukraine.
“Certainly, if an affiliate has motive to perform a destructive attack, then this would be a way to do it,” Clay says. “Some affiliates may be influenced by nation-state activities and/or hacktivism and having an option to wipe data may be a means to perform this operation.” By offering a service portfolio that includes data theft, data encryption, and data wiping, Anubis gives lots of options to its affiliates, he added.
To defend against Anubis, Trend Micro recommends enterprises implement a security strategy that includes maintaining offline backups, limiting access privileges to employees only as necessary, conducting regular user training, and ensuring employees “avoid downloading attachments, clicking on links, or installing applications unless the source is verified and trusted.”
