Anubis Ransomware Attacking Android and Windows Users to Encrypt Files and Steal Login Credentials

A sophisticated new ransomware threat has emerged from the cybercriminal underground, targeting both Android and Windows platforms with dual capabilities that extend far beyond traditional file encryption.

Anubis ransomware, first identified in November 2024, represents a concerning evolution in malware design, combining the destructive power of ransomware with the credential-stealing techniques of banking trojans.

This cross-platform threat has rapidly established itself as a significant concern for cybersecurity professionals worldwide.

The malware’s emergence coincides with an alarming surge in ransomware activity globally. According to recent threat intelligence data, ransomware victims publicly listed on leak sites have increased by nearly 25%, while the number of leak sites operated by ransomware groups has grown by 53%.

Anubis has contributed to these statistics through its aggressive targeting of critical infrastructure and high-value organizations across healthcare, construction, and professional services sectors.

Bitsight researchers identified Anubis as a particularly dangerous threat due to its sophisticated dual-platform approach and destructive capabilities.

The ransomware group, observed communicating in Russian on dark web forums, has implemented a distinctive Ransomware-as-a-Service model with flexible affiliate payment structures.

What sets Anubis apart from other ransomware families is its incorporation of permanent data deletion capabilities, with some victims reporting complete data loss even after ransom payments were made.

The malware’s attack methodology begins with carefully crafted spear-phishing campaigns that deliver malicious payloads through trusted-appearing email communications.

On Android devices, Anubis functions primarily as a banking trojan, deploying phishing overlays that mimic legitimate application interfaces to harvest user credentials.

The malware simultaneously conducts screen recording and keylogging operations to capture sensitive authentication data, while propagating itself through the victim’s contact list via mass SMS distribution.

Advanced Execution and Persistence Mechanisms

Anubis demonstrates sophisticated technical capabilities in its execution phase, particularly through its use of configurable command-line parameters that enable threat actors to customize attack scenarios.

The malware employs specific command parameters including /KEY=, /elevated, /PATH=, /PFAD=, and /WIPEMODE, allowing operators to control encryption processes, privilege escalation, target directories, and destructive wiping functionality.

On Windows systems, the ransomware implements the Elliptic Curve Integrated Encryption Scheme (ECIES) for file encryption, providing robust cryptographic protection that makes unauthorized decryption extremely difficult.

The malware systematically eliminates recovery options by deleting Volume Shadow Copies and terminating critical system services, while simultaneously escalating privileges through access token manipulation techniques.

This multi-layered approach ensures maximum impact while preventing victims from utilizing standard recovery mechanisms, forcing organizations into difficult decisions regarding ransom payment versus permanent data loss.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches