A new ransomware operation named Anubis, first identified on the RAMP underground forum in February 2025, runs three parallel monetization tracks simultaneously: a traditional RaaS model, a standalone data extortion service for organizations whose files have already been stolen, and an access-broker partnership channel. Security firm F6 has linked Anubis to the InvaderX ransomware strain, suggesting it is an evolution or rebrand of an existing criminal infrastructure rather than a new entrant.
Technical Analysis and Origins of Anubis
First detected on the RAMP underground forum in February 2025, Anubis demonstrates characteristics suggesting development by experienced cybercriminals with possible connections to established threat groups. Security firm F6 has identified potential links to the previously documented InvaderX ransomware strain, indicating a possible evolution or rebrand of existing malware infrastructure.
Three Revenue Streams: RaaS, Data Extortion, and Access Broker Integration
Traditional RaaS Operations
The primary offering follows the established RaaS model, providing affiliates with a sophisticated ransomware encryptor compatible with Windows, Linux, NAS, and ESXi systems. The malware implements ChaCha+ECIES encryption algorithms, managed through a dedicated control panel, with an 80/20 profit-sharing arrangement favoring operators.
Data Extortion Services
Anubis offers a separate data ransom service for previously exfiltrated information — targeting organizations that experienced a breach but are not necessarily Anubis ransomware victims. This service includes professional negotiation management and strategic pressure tactics through social media channels and regulatory notifications, operating on a 60/40 profit-sharing basis.
Access Broker Integration
The third model introduces a collaborative approach between access brokers and the Anubis team, where initial network access is leveraged for subsequent attacks. This equal-profit partnership model represents a novel integration of different cybercriminal specializations.
Operational Scope and Current Impact
Anubis targets organizations primarily in Western nations, including the United States, European Union members, Canada, and Australia. The group explicitly excludes former CIS countries from their operations, a common practice among certain ransomware groups. Notable attacks include a successful breach of Australia’s Pound Road Medical Centre in November 2024, marking one of four confirmed incidents attributed to the group.
The separation of data extortion from encryption — targeting organizations that may have mitigated the ransomware itself but still hold stolen data — means that a successful backup and recovery process no longer eliminates extortion risk. Organizations in the US, EU, Canada, and Australia should treat credential and data exposure as a distinct threat vector requiring dedicated response plans.
