Initial Access
Attackers commonly gain entry into targeted networks using spear-phishing campaigns that deliver malicious payloads disguised as legitimate business attachments or software installers. Additionally, affiliates frequently exploit exposed infrastructure assets, such as unpatched VPN or Remote Desktop Protocol (RDP) endpoints, or utilize compromised credentials purchased from dark web markets. To prevent these vulnerabilities from being exploited, continuous assessment of external assets is critical. Regular assessments via Penetration Testing can help identify these edge vulnerabilities and prevent unauthorized initial entry.
Execution and Privilege Escalation
Once inside the environment, the ANUBIS binary must be executed with a specific command-line argument containing a unique 30-plus character key (using the /KEY= parameter) to validate its execution. If this key is missing or incorrect, the payload terminates to prevent sandbox analysis. Once authorized, the malware attempts to escalate privileges. It uses access token manipulation to achieve SYSTEM-level access. If administrative rights are missing, it spawns interactive prompts or restarts itself using the /elevated parameter.
Evasion and Service Termination
To prevent active security agents from detecting the ransomware, the malware terminates critical local processes and services. It identifies and stops services associated with databases and enterprise backup infrastructure, such as SQLSERVERAGENT, VeeamTransportSvc, and BackupExecAgentBrowser. Additionally, the ransomware invokes command-line processes to permanently delete Windows Volume Shadow Copies, preventing simple system restoration:
vssadmin delete shadows /for=norealvolume /all /quiet
Cryptographic Impact and the WIPEMODE Trigger
ANUBIS employs the Elliptic Curve Integrated Encryption Scheme (ECIES) to encrypt files, relying on Go-based cryptographic libraries. After encryption, the extension .anubis or .anb is appended to the files, the system desktop wallpaper is changed to a localized image asset (wall.jpg), and a custom icon (icon.ico) is assigned to the encrypted files. A ransom note titled RESTORE FILES.html is dropped across affected directories.
A highly concerning element of the ANUBIS binary is its support for the /WIPEMODE parameter. When launched with this parameter, the malware switches from standard encryption to a destructive wiping phase. It permanently overwrites the contents of targeted files and truncates their sizes to 0 KB while preserving the overall directory tree. This makes any form of cryptographic recovery impossible, functioning as a pure wiper tool to exert maximum psychological pressure during negotiations.