New Ransomware Threat Adds File-Wiping Destruction to Encryption Attacks

Researchers have identified a new and highly destructive ransomware-as-a-service (RaaS) operation called Anubis that escalates the typical double-extortion model by incorporating a custom file wiper, Forbes reports.

In addition to stealing and encrypting data, Anubis gives attackers the option to permanently destroy files, making recovery impossible. This added threat significantly increases the pressure on victims to pay the ransom.

Anubis is part of a continuing cycle where new groups emerge as others are disrupted by law enforcement or rival hackers. What sets Anubis apart is its use of a /WIPEMODE parameter that allows attackers to sabotage recovery efforts even after encryption, creating an irreversible impact on compromised systems.

The ransomware is delivered through multiple vectors, including phishing, command-line execution, and privilege escalation. Once active, it can execute encryption and file-wiping functions simultaneously, compounding the damage.

Researchers recommend straightforward but essential mitigation steps. The most critical defense is maintaining secure, up-to-date offline and off-site backups to neutralize the impact of the wiper feature.  

Additional precautions include avoiding suspicious downloads or links, implementing web filtering, minimizing administrative privileges, and keeping security software current with regular vulnerability scans.

Takeaway: Ransomware actors have pushed the limits of the double extortion model, and they're starting to realize it’s not always enough. Stealing data and threatening to leak it worked for a while, but as more victims refuse to pay, threat actors are evolving their tactics to force compliance.  

The emergence of Anubis shows just how far they’re willing to go. By adding a file wiper to the traditional encryption payload, attackers now hold the power to permanently destroy data if a ransom isn’t paid. That’s a significant shift from extortion to outright sabotage.

The addition of destructive capabilities is not just a scare tactic, it’s a new pressure point. The threat of public exposure doesn’t move every victim, but the threat of irreversible data loss hits differently. It’s an escalation designed to force a decision: pay up or lose everything. And the harsh truth is that this won’t be the last time we will see it. More ransomware groups will adopt destructive options to increase urgency and boost payment rates.

Ransomware isn’t going away, it’s just getting meaner. And the message to defenders is clear: you need to be ready for the kind of extortion where nothing comes back if you don’t pay. Anubis isn’t just another RaaS platform. It’s a warning that ransomware is entering a new phase where destruction becomes part of the negotiation process. Organizations need to treat that seriously and prepare accordingly.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.