Beware: Anubis Ransomware Now Hitting Android and Windows Devices

-

 A sophisticated new ransomware threat has emerged from the cybercriminal underground, presenting a serious challenge to both enterprise and personal cybersecurity. Dubbed Anubis, this malware is not only capable of encrypting files but also stealing login credentials—targeting both Android and Windows platforms simultaneously.

First identified in November 2024, Anubis represents a concerning evolution in malware design. It merges the destructive power of traditional ransomware with the stealthy credential-theft techniques often associated with banking trojans. This dual-functionality approach has helped Anubis quickly gain traction among cybercriminals and establish itself as a significant threat in the wild.



A Rising Threat Amid a Surge in Ransomware Activity

Anubis has appeared during a global rise in ransomware incidents. Recent threat intelligence reveals a 25% increase in publicly listed ransomware victims and a 53% rise in leak sites operated by ransomware gangs. This surge reflects the growing sophistication and organizational structure of ransomware operators—and Anubis is a textbook example.

Researchers at Bitsight have identified Anubis as particularly dangerous due to its dual-platform architecture and destructive payloads. The malware has already been used to attack high-value targets in healthcare, construction, and professional services—sectors where downtime and data loss can have devastating consequences.

A Glimpse Into the Underground: Ransomware-as-a-Service

The group behind Anubis has been observed operating in Russian-speaking dark web forums, offering the ransomware through a Ransomware-as-a-Service (RaaS) model. This flexible affiliate structure allows less technically skilled attackers to deploy customized attacks using pre-built tools.

What sets Anubis apart from other ransomware families is its irreversible data destruction capabilities. In several reported cases, victims lost all encrypted data—even after paying the ransom. This introduces a new level of risk and uncertainty, removing any remaining incentive to negotiate with the attackers.

Infection Vector: Spear Phishing With Precision

Anubis campaigns typically begin with spear-phishing emails that appear to originate from trusted entities. These messages contain malicious attachments or links that, when opened, download the Anubis payload.

On Android devices, Anubis behaves like a classic banking trojan. It deploys phishing overlays that mimic legitimate apps, capturing login credentials for banking, email, and cloud platforms. The malware also performs screen recording, keylogging, and SMS propagation, enabling it to self-replicate and further its reach across victims’ networks.

Technical Capabilities: Execution and Persistence

Anubis exhibits advanced technical capabilities across both platforms, with highly configurable execution options. Attackers can tailor the malware's behavior using parameters such as:

  • /KEY= – Encryption key for file locking

  • /elevated – Runs the malware with elevated privileges

  • /PATH= and /PFAD= – Target specific directories or file paths

  • /WIPEMODE – Enables destructive data wiping

On Windows systems, Anubis uses Elliptic Curve Integrated Encryption Scheme (ECIES) for file encryption, providing robust cryptographic strength that resists traditional decryption attempts.

To maximize damage, it deletes Volume Shadow Copies, stops key system services, and escalates privileges using token manipulation—effectively eliminating standard recovery paths and backup options.

Conclusion: A Critical Threat Demanding Urgent Attention

Anubis is more than just another ransomware variant. It reflects a growing trend of hybrid malware, combining multiple attack techniques into a single, devastating package. With its ability to simultaneously steal credentials, encrypt data, and destroy recovery options, Anubis raises the stakes for businesses, individuals, and cybersecurity teams alike.

Organizations must enhance their email security, endpoint defenses, and employee awareness training to defend against such multi-pronged attacks. Regular backups, incident response planning, and up-to-date threat intelligence remain essential to navigating this increasingly hostile digital landscape.

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more