A newly emerged ransomware group, Anubis, is making waves in the cybercrime ecosystem with an aggressive combination of double extortion, ransomware-as-a-service (RaaS), and affiliate-based operations. The group’s strategic focus on critical industrial sectors suggests a calculated approach aimed at maximizing ransom payouts while causing significant operational disruptions.
Healthcare, Engineering, and Construction Firms in the Crosshairs
Anubis is already racking up victims across multiple industries. Among the most notable are:
- Pound Road Medical Centre (Australia) – A healthcare provider hit with data theft and encryption tactics.
- Summit Home Health (Canada) – Another medical company, reinforcing Anubis’ interest in healthcare-related targets.
- Comercializadora S&E Perú (Peru) – An engineering and construction firm, indicating a broader industrial focus.
- Unidentified US-based Engineering Firm – The latest addition to the group’s victim list, further underscoring its intent to target infrastructure-related businesses.
This pattern of attacks suggests Anubis is methodically going after industries where operational downtime could have severe financial and reputational consequences. The more critical the industry, the higher the likelihood of ransom payment—an established tactic used by top-tier ransomware groups.
Ransomware-as-a-Service and the Rise of Anubis
Anubis first appeared in late 2024, according to threat intelligence firm KELA. Unlike traditional ransomware groups that operate as closed-knit units, Anubis follows the Ransomware-as-a-Service (RaaS) model, where it provides malicious tools to affiliates in exchange for a percentage of the ransom profits. This approach allows it to scale its operations quickly by attracting cybercriminals with varying levels of expertise.
Its business model thrives on:
- Affiliate recruitment – Outsourcing attacks to cybercriminals who pay for access to Anubis’ ransomware tools.
- Double extortion tactics – Encrypting victim data while simultaneously threatening to leak stolen files unless a ransom is paid.
- Active presence in underground forums – Engaging with cybercriminal communities on RAMP and XSS forums using aliases like “supersonic” and “Anubis_ _ media.”
Russian-Speaking Operators Raise Concerns
Anubis’ online activity provides clues about its origins. Posts from its representatives on dark web forums are written in Russian, suggesting a strong connection to Russian-speaking cybercrime circles. This aligns with the broader trend of ransomware groups operating from the region, where law enforcement crackdowns have been historically limited.
KELA researchers suspect that former affiliates of other ransomware gangs might be involved in Anubis’ operations. This theory stems from both the group’s sophisticated techniques and its rapid rise—both characteristics commonly associated with cybercriminals who have prior experience with high-profile ransomware campaigns.
What’s Next? The Growing Threat of Industrial Ransomware Attacks
Anubis’ emergence highlights an ongoing shift in ransomware targeting strategies. While many cybercriminals previously focused on smaller businesses with weaker defenses, groups like Anubis are now prioritizing high-stakes targets in healthcare, engineering, and construction. This shift indicates:
- Increased financial pressure on victims – Sectors like healthcare cannot afford prolonged downtime, making them more likely to pay ransoms.
- More sophisticated attack methods – The use of RaaS means that attacks will likely become more widespread as affiliates join the operation.
- Potential geopolitical implications – The Russian-speaking nature of Anubis’ operators raises concerns about state protection or indirect support.
With new ransomware groups constantly emerging, security professionals and businesses must remain vigilant. Organizations in critical sectors should strengthen their cybersecurity defenses, implement robust backup strategies, and monitor underground cybercrime forums for early warning signs of potential threats.
