Meet Anubis, a new ransomware gang
A new ransomware group dubbed Anubis has emerged, say researchers at Kela.
The group’s profile on X suggests they have been active since last December. the beginning of December 2024, says the report. However, it adds, a statement from one of their victims regarding a ‘cyber security incident’ on November 13, 2024, is possible evidence suggests that the group has been active since at least then.
Anubis’ first claimed victim is Pound Road Medical Centre, an Australia-based company from the healthcare sector. On Dec. 29th Anubis claimed Canadian healthcare provider Summit Home Health was another victim. The same day a Peru-based company from the engineering and construction sector was listed as a victim while earlier this week an unnamed U.S.-based in the same sector was listed.
Apparent representatives of Anubis on both RAMP ( who uses the moniker ‘superSonic’) and XSS (using the moniker ‘Anubis__media’) have been seen. Both users’ posts are written in Russian.
Two days ago the threat actor “superSonic” advertised a ‘new format’ of affiliate programs on the RAMP cybercrime forum, says Kela. All of their suggested revenue-share structures are open to negotiation for long-term co-operation.
This affiliate program offers what Kela says is a classic ransomware-as-a-service (RaaS) model — affiliates do the break-in and data theft, while the gang that supplies the ransomware code negotiates the ransom — with affiliates promised 80 per cent of the ransom paid. Anubis details the following features of their ransomware:
written in ChaCha+ECIES;
targets Windows, Linux, NAS, and ESXi x64/x32 environments;
elevates hacker privileges to NT AUTHORITY\SYSTEM;
has the capability for self-propagation of encryption across the victim organization’s domain;
easily managed via a web panel.
And, if affiliates want to cash in on data they’ve recently stolen from hacks without using Anubis’ infrastructure, the gang will give them a 60 per cent cut. As part of this service Anubis promises to pressure and threaten the victim company using ‘non-standard methods.’
Finally, there’s a special service for initial access brokers — groups that specialize in hacking into companies but then sell their access to other threat actors who do the actual data theft/data destruction or install ransomware. These affiliates will get a 50 per cent cut of whatever Anubis can squeeze from a victim firm.
Ransomware continues to be a successful weapon for some crooks. According to Sonicwall’s just-released annual Cyber Threat Report, ransomware attacks in North America were up eight per cent over 2023, and up 259 per cent in Latin America.
Clearly organizations are still not doing enough to protect themselves from ransomware — or any other type of cyber attack.
“In 2024, the average ransomware payment reached US$850,700, with total
related losses often exceeding US$4.91 million when factoring in downtime and recovery costs,” the report says in part.
One prime factor in any successful cyber attack is stolen credentials or exploitation of weak credentials. CIOs/CISOs/infosec pros/IT leaders have to take more steps to improve identity and access management.
Another prime factor is the exploitation of unpatched vulnerabilities in Windows and critical applications like remote access software and firewalls.
As I’ve written before there’s lots of free advice on defending against ransomware from the national cybersecurity agencies in U.S., British, Canadian and other countries. Look also at the Blueprint for Ransomware Defence.