Overview
Anubis is a ransomware-as-a-service operation that surfaced in November 2024 and has grown to become one of the more active threats to healthcare organisations in 2026. The group is distinguished less by technical sophistication than by a novel extortion tactic: alongside the standard data leak threat, Anubis explicitly threatens to notify data protection regulators — HHS OCR under HIPAA for US targets, the ICO for UK organisations, and relevant national data protection authorities for EU victims — if the ransom is not paid.
The tactic transforms the extortion dynamic from a bilateral negotiation into a three-party problem where the regulator becomes an involuntary amplifier of pressure. For healthcare organisations already under intense regulatory scrutiny following high-profile incidents in 2024 and 2025, the threat carries real weight.
Technical Profile
| Attribute | Detail |
|---|---|
| Encryptor language | Go (Golang) |
| Encrypted extension | .anubis |
| Encryption scheme | AES-256-CTR (per-file key), RSA-4096 (key encapsulation) |
| Platform support | Windows, Linux |
| Shadow copy deletion | Yes — vssadmin.exe delete shadows |
| Network share encryption | Yes |
| Data exfiltration tool | rclone, custom tooling |
| Ransom note | Per-directory drop with victim ID and regulatory threat language |
The Go encryptor produces statically linked binaries, consistent with the broader ecosystem shift toward Go and Rust for ransomware development. The encryption implementation is functional and standard; there are no known weaknesses in the cryptographic implementation that would enable decryption without payment.
Affiliate Model
| Term | Detail |
|---|---|
| Standard split | 80% affiliate / 20% core team |
| Data-theft-only split | 60% affiliate / 40% core team |
| Affiliate portal | Web-based panel with victim management, encryptor builder |
| Recruitment | Dark web forums; experienced affiliates preferred |
The data-theft-only tier — where affiliates run exfiltration without deploying the encryptor — is an unusual offering. It reflects the group’s assessment that the regulatory notification threat is independently valuable even without encryption pressure, particularly against healthcare organisations with resilient backup infrastructure.
Victim Profile
2026 activity:
- 35+ claimed victims as of July 2026
- 17 confirmed US healthcare organisations
- Additional victims in financial services, legal, and local government
Targeting rationale: Healthcare prioritisation is deliberate. Protected health information creates HIPAA regulatory exposure that is specifically threatened in ransom communications. Hospital networks and outpatient care providers also tend to have strong operational pressure to restore systems quickly and lower incident response maturity than financial services firms.
Geography: Primarily North America (US, Canada), with secondary activity in UK and EU — jurisdictions where GDPR/UK GDPR creates equivalent regulatory pressure to HIPAA.
Initial Access Methods
Anubis affiliates use multiple initial access vectors:
- Credential theft / phishing: Spearphishing delivering credential stealers or directing to fake M365 login pages, providing VPN or email access
- Initial access broker purchases: Pre-obtained network access purchased from IAB marketplaces
- Vulnerability exploitation: VPN appliance exploitation (Cisco ASA, Fortinet FortiGate, Ivanti), Citrix Netscaler, RDS
- RMM compromise: At least two incidents involved entry through compromised RMM tools at third-party IT providers
Post-Intrusion TTPs
| Phase | Techniques |
|---|---|
| Discovery | ADFind, BloodHound/SharpHound, network scanning |
| Credential access | LSASS dump (ProcDump, Mimikatz), DCSync, browser credential extraction |
| Lateral movement | PsExec, WMI, RDP |
| Persistence | Scheduled tasks, service creation, domain account manipulation |
| Exfiltration | rclone to Mega.nz or attacker-controlled cloud storage |
| Defence evasion | EDR tampering via driver-based killers, Windows Defender disablement |
| Execution | Domain-wide via PsExec or Group Policy, timed for off-hours |
Regulatory Pressure Mechanism
Anubis’s communications to non-paying victims include explicit language notifying them that the group will contact the relevant regulatory authority with:
- A description of the data categories exfiltrated
- The number of individuals whose data was affected
- Evidence of the organisation’s breach awareness (the ransom communication itself)
- A claim that the statutory notification deadline has elapsed
The regulatory threat is most effective when the victim has not already assessed their notification obligations independently. Legal counsel with HIPAA or GDPR expertise should be part of IR retainer arrangements for organisations in targeted sectors — the regulatory dimension cannot be addressed by the technical IR team alone.
Known Infrastructure
- Tor-based leak site with multi-stage victim listing (contacted → deadline → published)
- Negotiation portal accessible via unique per-victim Tor URL in ransom note
- Data exfiltration to Mega.nz in documented incidents
Detection and Response
For organisations responding to a suspected Anubis incident:
- Isolate affected systems immediately — exfiltration and encryption may be concurrent
- Preserve all logs from the initial access period (VPN, email, RMM audit trails) for regulatory purposes
- Contact legal counsel before engaging with ransom demands — regulatory notification obligations must be assessed independently of payment decisions
- Assume API keys and cloud credentials stored on affected systems are compromised — rotate before investigation concludes
For organisations assessing preventive posture:
- Patch VPN appliances promptly; Anubis affiliates exploit known CVEs in Cisco ASA, Fortinet, and Ivanti products
- Enforce MFA on all remote access — credential theft is the primary initial access path
- Isolate backup infrastructure from domain admin accounts — Anubis affiliates target backup servers
- Review third-party IT provider RMM security posture as a supply chain risk
Status
Active and expanding. Affiliate recruitment is ongoing. No law enforcement action specifically targeting Anubis has been publicly announced as of July 2026.