The Anubis ransomware-as-a-service (RaaS) operation has incorporated a wiper module that permanently destroys targeted files, leaving victims unable to recover their data even if they pay the ransom.
According to a new report by Trend Micro, the wiper function was discovered in the latest malware samples linked to Anubis, which has been gaining traction since it emerged in December 2024 and grew increasingly active in early 2025. Anubis operators launched their affiliate recruitment campaign on the RAMP forum on February 23.
The wiper is triggered by a command-line parameter labeled /WIPEMODE, which requires key-based authentication to activate. Once deployed, it reduces files to 0 KB in size while preserving the directory and file name structure, creating the illusion that the data is intact when in reality it has been wiped.
Anubis, not to be confused with the Android banking malware of the same name, excludes key system directories to avoid rendering machines inoperable. It also removes Volume Shadow Copies and shuts down processes that might hinder the encryption routine.
Trend Micro also noted that Anubis uses ECIES (Elliptic Curve Integrated Encryption Scheme) for encryption, and shares characteristics with other ransomware families like EvilByte and Prince. Initial access in most attacks is gained through phishing emails containing malicious links or attachments.
