When Anubis Ransomware Chooses Destruction Over Profit: A New Calculus for Enterprise Security
The ransomware economy has operated on a simple premise for the better part of two decades: attackers encrypt corporate data, victims pay for the decryption key, and business eventually resumes. That implicit contract, as distasteful as it may be, has at least offered organizations a path to recovery. But a new player in the ransomware landscape is upending that calculus entirely, and chief information security officers at major enterprises should take notice.
Anubis, a ransomware operation that surfaced in December 2024, has introduced what security researchers are calling a dual-threat capability. The malware not only encrypts files using sophisticated cryptographic methods but also includes an optional wiper function that permanently erases data, reducing file contents to zero bytes while leaving filenames intact as hollow shells. Even if a victim pays the ransom, recovery becomes impossible.
"In my opinion, it goes against the ransomware business model," said John Fokker, head of threat intelligence at Trellix, in an interview following the discovery of the wiper capability. The observation points to a troubling question: if attackers are willing to destroy data regardless of payment, what incentive remains for victims to negotiate at all?
The answer may lie in the changing economics of cybercrime. According to Bitsight's 2025 State of the Underground report, ransomware attacks increased by nearly 25 percent in 2024, while the number of active ransomware leak sites grew by 53 percent. The proliferation of smaller, more agile ransomware groups has fragmented the market, and competition for victim payments has intensified. In this environment, coercion through the threat of irreversible destruction may be more valuable than the promise of data recovery.
Anubis operates as a Ransomware-as-a-Service platform, offering affiliates an 80-20 revenue split and multiple monetization channels beyond traditional file encryption. The group advertises on underground forums like RAMP and XSS, where operators using aliases such as "superSonic" and "Anubis__media" recruit partners and negotiate terms. What distinguishes Anubis from dozens of other RaaS operations is the sophistication of its business model. The group offers not just ransomware deployment but also data extortion services and access monetization programs, effectively creating a diversified criminal enterprise.
The technical capabilities are equally concerning. Initial access typically occurs through spear phishing campaigns, with attackers crafting emails that appear to originate from trusted sources. These messages contain malicious attachments or links that, once opened, establish a foothold in corporate networks. Secondary infection vectors include exploitation of Remote Desktop Protocol endpoints through credential stuffing and brute force attacks, as well as compromised software updates that introduce malware during legitimate installation processes.
Once inside a network, Anubis demonstrates a level of automation and environmental awareness that reflects significant development resources. The malware checks for administrative privileges and attempts to escalate to SYSTEM-level access through token manipulation techniques. It conducts reconnaissance to identify high-value targets, terminates security processes that might interfere with encryption, and methodically deletes volume shadow copies to eliminate built-in recovery options. The encryption itself uses Elliptic Curve Integrated Encryption Scheme, a robust cryptographic method that security researchers say is effectively unbreakable without the proper decryption key.
The wiper functionality represents the most significant departure from standard ransomware behavior. Activated through a command-line parameter, the feature overwrites file contents rather than merely encrypting them. Victims are left with directory structures and filenames intact, but the actual data has been irrevocably destroyed. Trend Micro researchers who analyzed the malware noted that this capability "adds pressure on victims and raises the stakes of an already damaging attack."
The target profile reveals a deliberate focus on sectors where operational disruption carries severe consequences. Healthcare institutions have borne the brunt of Anubis attacks, with confirmed incidents at medical facilities in Australia and Canada resulting in the exposure of patient records, Social Security numbers, Medicare information, and treatment histories. On November 13, 2024, Pound Road Medical Centre in Victoria, Australia, became what security researchers believe was Anubis's first victim, though the facility's public statement carefully avoided mentioning ransomware by name.
Construction and engineering firms have also been targeted, with attacks documented in the United States, Peru, and France. The common denominator appears to be mid-sized organizations with valuable data but potentially limited security resources. As Bitsight researchers noted in their analysis, the fragmentation of ransomware groups has led to increased attacks on precisely these types of companies, which may lack the robust defenses of Fortune 100 enterprises but possess sufficient resources to consider paying ransoms.
For chief information security officers at large enterprises, the emergence of Anubis presents both a specific threat and a broader trend indicator. The specific threat is straightforward: spear phishing remains the primary infection vector, and any organization with inadequate email security controls or insufficient user awareness training remains vulnerable. The broader trend is more troubling. If ransomware operators are willing to sacrifice the traditional business model in favor of more coercive and destructive tactics, the implicit rules that have governed cybercriminal behavior may be eroding.
The defensive priorities are clear, if not always easy to implement at scale. Email security requires not just technical controls but ongoing user education to identify sophisticated phishing attempts. According to Bitsight data, 93 percent of U.S. healthcare organizations reported at least one cyber incident in the past year, and 60 percent experienced ransomware attacks in 2024, suggesting that current defenses are inadequate across even critical infrastructure sectors.
Access controls present another layer of defense. Multi-factor authentication on all Remote Desktop Protocol endpoints is no longer optional, and organizations should eliminate RDP exposure to the internet wherever operationally feasible. Yet implementation remains spotty. Security researchers continue to observe successful RDP compromises through credential stuffing and brute force attacks, indicating that basic security hygiene failures persist even as threat sophistication increases.
Backup strategies must account for adversaries who specifically target recovery systems. Offline, immutable backups that cannot be accessed or deleted by attackers who gain network access represent the last line of defense against both encryption and wiper attacks. The challenge is ensuring these backups are genuinely isolated. Attackers have demonstrated the ability to identify and compromise backup systems that remain network-accessible, and the median dwell time for ransomware in late 2024 was just four days from initial compromise to encryption, leaving little margin for error.
The question of whether to pay ransoms has grown more complex with the introduction of wiper capabilities. Traditional cost-benefit analysis assumed that payment would result in data recovery. When recovery becomes impossible regardless of payment, the calculus shifts entirely. Yet as long as attackers threaten to publicly release stolen data, some organizations may feel compelled to pay simply to avoid reputational damage, even knowing their encrypted systems cannot be restored.
Law enforcement involvement presents its own considerations. In 2024, 63 percent of ransomware victims that involved law enforcement avoided paying ransom, compared to lower rates among those who did not engage authorities. Yet law enforcement involvement dropped to just 40 percent in 2025, suggesting either declining confidence in official responses or concerns about regulatory scrutiny and disclosure requirements that accompany reporting.
The broader implications extend beyond any single ransomware variant. Anubis represents an evolution in attacker thinking, a willingness to prioritize coercion and destruction over the orderly criminal economics that have characterized ransomware for years. Whether this represents a temporary anomaly or the beginning of a trend toward more destructive tactics remains unclear. What is certain is that organizations cannot afford to assume attackers will continue to follow the rules of the past.
For enterprise security leaders, the message is sobering but straightforward. The question is no longer whether your organization will be targeted by ransomware but whether your defenses can prevent the initial compromise. In an environment where 53 percent more ransomware leak sites operated in 2024 than the previous year, and where new groups like Anubis continue to emerge with increasingly sophisticated capabilities, the margin for error continues to shrink.
The ransomware problem will not be solved by any single technology or approach. It requires layered defenses, constant vigilance, and a willingness to invest in fundamentals like user training and access controls that may seem unglamorous compared to cutting-edge security technologies. Organizations that treat ransomware preparedness as a compliance checkbox rather than an ongoing operational priority do so at their peril. The attackers, as Anubis demonstrates, are not standing still.
