A new ransomware group named Anubis has emerged in late 2024, operating as a Ransomware-as-a-Service (RaaS) with multiple affiliate options. The group offers a variety of business models, including traditional ransomware attacks, data extortion services, and access monetization, allowing affiliates to choose from different ways to profit from compromised systems. Kela, a threat intelligence firm, has identified Anubis through its dark web footprint, not by analyzing the malware itself. The group’s model is based on double extortion, a technique that combines data theft and encryption to pressure victims into paying ransom.
Anubis offers affiliates the option to use its ransomware, Anubis Ransom, with a profit-sharing model where the affiliate earns 80% of the ransom.
The malware targets Windows, Linux, NAS, and ESXi x64/x32 environments and can be controlled via a web portal. Another option available to affiliates is Anubis Data Ransom, which focuses on monetizing stolen data. The stolen data must be exclusive to Anubis and recent, with the affiliate receiving 60% of the revenue. A third option, Access Monetization, allows access brokers to earn 50% of the revenue from access sold to Anubis, specifically targeting the US, Europe, Canada, and Australia.
The group operates a blog detailing its activities and claimed victims. As of February 2025, Anubis has listed four victims, including the Pound Road Medical Centre (PRMC) in Australia, which suffered a cyber incident in November 2024. PRMC’s data was potentially accessed, though it did not mention ransomware, which could suggest that Anubis is focusing on data exfiltration and extortion rather than traditional ransomware encryption. Kela researchers believe that Anubis is leveraging this new model of data extortion, focusing on data theft without encrypting files, which has become an emerging trend in the ransomware world.
Despite being a relatively new player, Anubis exhibits a high level of professionalism and expertise, which suggests that its operators could be former affiliates of other ransomware groups. While Kela has not yet had the opportunity to analyze Anubis’s code in depth, the growing sophistication and the variety of options provided to affiliates indicate that this group could pose a significant threat to organizations in 2025. Anubis’s focus on post-exfiltration extortion and flexible affiliate programs makes it a versatile and potentially dangerous threat in the ransomware landscape.
