Anubis and the Death of Data A New Era of Ransomware Operations

Anubis and the Death of Data: A New Era of Ransomware Operations

Ransomware trends and the emergence of Anubis.

Ransomware activity continues to increase, and Bitsight data illustrates the scale of this growth. In our State of the Underground 2025 report, Bitsight TRACE observed a nearly 25% rise in unique ransomware victims publicly listed on leak sites. Additionally, the number of leak sites operated by ransomware groups grew by 53%. These trends reinforce ransomware’s ongoing role as a primary method for financially motivated threat actors to extract payments from targeted organizations, due in part to its speed, reach, and impact.

Anubis Overview

Anubis is a relatively recent addition to the ransomware ecosystem, first identified in November 2024. While they have not been attributed to any region, security researchers have observed the group speaking in Russian on dark web forums. Despite its short time in operation, the group has established a notable presence, particularly through its attacks on critical infrastructure. This focus on high-value targets has contributed to its visibility within both cybercriminal networks and the broader cybersecurity community.

The group has implemented a distinctive affiliate payment structure. Anubis offers multiple monetization models to accommodate varying levels of affiliate involvement. In the standard Ransomware-as-a-Service (RaaS) model, affiliates retain 80% of the ransom, with the remaining 20% allocated to Anubis for providing tooling and infrastructure. For operations that include data theft before extortion, Anubis supports the pressure campaign and collects 40% of the proceeds. In cases where the group provides direct assistance during the post-compromise extortion process, such as managing negotiations, revenue is split evenly between Anubis and the affiliate.

To read the complete article, see: Bitsight Blog