New ransomware stocks have been discovered and include the ability to not only encrypt files, but also permanently erase them. This is a development called “rare dual threats.”
“Ransomware has a ‘wipe mode’ that permanently erases files, making recovery impossible even if ransom is paid,” micro-researchers Maristel Polisulpio, Sarah Pearl Camilling and Sofia Nilletto Robles said in a report released last week.
The operation as a ransomware assiasia in question was named Anubis, which became active in December 2024, and claiming victims of the healthcare, hospitality and construction sectors of Australia, Canada, Peru and early US analyses, suggesting that the developers cited Spinks before they symbolized the first version.
It is worth noting that the electronic crime crew has nothing to do with the Python-based backdoor, the same name as the Android Banking Trojan.
“Anubis runs a flexible affiliate program, provides negotiable revenue splits and supports additional monetization passes such as data forced and access sales,” the cybersecurity company said.
The affiliate program follows an 80-20 split, allowing affiliate actors to pay 80% of the ransom. Meanwhile, the data coercion and access monetization scheme offer 60-40 and 50-50 splits, respectively.
The attack chain attached to Anubis involves using phishing emails as the initial access vector. Threat actors will use their scaffolding to escalate privileges, carry out reconnaissance, take steps to remove volume shadow copies, and wipe content as needed.
This means that while the file name or its extension is left untouched, the file size will be reduced to 0 kb, making recovery impossible, and therefore putting more pressure on the victim to pay.
“The ransomware includes a wiper feature using the /wipemode parameter, which permanently removes the contents of the file and prevents attempts to recover,” the researchers said.
“The ability to encrypt and destroy data forever greatly increases the interests of victims and amplifies pressure to comply, as intended for the operation of powerful ransomware.”
The discovery of Anubis’ disruptive behavior comes when future detailed new infrastructure related to FIN7 groups impersonating legitimate software products and services is recorded as part of a campaign designed to provide NetSupport Rat.
The threat intelligence company owned by MasterCard said it has identified three unique distribution vectors over the past year employing Bogus browser update pages, a fake 7-ZIP download site, and TAG-124 (aka 404 TDS, Chaya_002, Kongtuke, Landupdate808) to deliver malware.
The fake browser update method loads a custom loader mask bat to run the remote access trojan, but the remaining two infected vectors use another custom PowerShell loader that compresses it and runs it.
“(Maskbat) is similar to FakeBat, but it is obfuscated and contains a string linked to Grayalpha,” said Future’s Insikt group. “We observed that all three infected vectors were used simultaneously, but at the time of writing, only the fake 7-ZIP download page was still active, showing the newly registered domain in April 2025.”
