Cybersecurity researchers have uncovered a sophisticated new ransomware operation named Anubis, which introduces an unprecedented three-tiered approach to cybercrime monetization. This advanced Ransomware-as-a-Service (RaaS) platform represents a significant evolution in the ransomware landscape, offering operators multiple revenue streams through distinct business models.
Technical Analysis and Origins of Anubis
First detected on the RAMP underground forum in February 2025, Anubis demonstrates characteristics suggesting development by experienced cybercriminals with possible connections to established threat groups. Security firm F6 has identified potential links to the previously documented InvaderX ransomware strain, indicating a possible evolution or rebrand of existing malware infrastructure.
Revolutionary Triple-Threat Business Model
Traditional RaaS Operations
The primary offering follows the established RaaS model, providing affiliates with a sophisticated ransomware encryptor compatible with Windows, Linux, NAS, and ESXi systems. The malware implements ChaCha+ECIES encryption algorithms, managed through a dedicated control panel, with an 80/20 profit-sharing arrangement favoring operators.
Data Extortion Services
In an innovative approach to cybercrime services, Anubis offers specialized data ransom operations for previously exfiltrated information. This service includes professional negotiation management and strategic pressure tactics through social media channels and regulatory notifications, operating on a 60/40 profit-sharing basis.
Access Broker Integration
The third model introduces a collaborative approach between access brokers and the Anubis team, where initial network access is leveraged for subsequent attacks. This equal-profit partnership model represents a novel integration of different cybercriminal specializations.
Operational Scope and Current Impact
Anubis targets organizations primarily in Western nations, including the United States, European Union members, Canada, and Australia. The group explicitly excludes former CIS countries from their operations, a common practice among certain ransomware groups. Notable attacks include a successful breach of Australia’s Pound Road Medical Centre in November 2024, marking one of four confirmed incidents attributed to the group.
The emergence of Anubis signals a concerning trend in ransomware sophistication, highlighting the need for enhanced cybersecurity measures across organizations. Security teams should implement comprehensive data protection strategies, including robust backup systems, network segmentation, and advanced threat detection capabilities. The multi-faceted approach of Anubis demonstrates that traditional anti-ransomware measures alone may no longer provide adequate protection against evolving cyber threats.
