LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile Anubis

Anubis Ransomware: Group Profile

Anubis is a Go-based ransomware-as-a-service operation that emerged in November 2024 and has focused aggressively on healthcare targets, deploying a novel pressure tactic: threatening to notify data protection regulators unless victims pay. Active into 2026 with 35+ claimed victims including 17 US healthcare organisations.

By Ransomware Tracker ·
AnubisRaaShealthcareHIPAAICOregulatory pressuredouble extortionGoinitial access brokers
Threat Level
8/10
Sectors Targeted
healthcare
finance
government
Ransomware Family
Anubis

Overview

Anubis is a ransomware-as-a-service operation that surfaced in November 2024 and has grown to become one of the more active threats to healthcare organisations in 2026. The group is distinguished less by technical sophistication than by a novel extortion tactic: alongside the standard data leak threat, Anubis explicitly threatens to notify data protection regulators — HHS OCR under HIPAA for US targets, the ICO for UK organisations, and relevant national data protection authorities for EU victims — if the ransom is not paid.

The tactic transforms the extortion dynamic from a bilateral negotiation into a three-party problem where the regulator becomes an involuntary amplifier of pressure. For healthcare organisations already under intense regulatory scrutiny following high-profile incidents in 2024 and 2025, the threat carries real weight.

Technical Profile

AttributeDetail
Encryptor languageGo (Golang)
Encrypted extension.anubis
Encryption schemeAES-256-CTR (per-file key), RSA-4096 (key encapsulation)
Platform supportWindows, Linux
Shadow copy deletionYes — vssadmin.exe delete shadows
Network share encryptionYes
Data exfiltration toolrclone, custom tooling
Ransom notePer-directory drop with victim ID and regulatory threat language

The Go encryptor produces statically linked binaries, consistent with the broader ecosystem shift toward Go and Rust for ransomware development. The encryption implementation is functional and standard; there are no known weaknesses in the cryptographic implementation that would enable decryption without payment.

Affiliate Model

TermDetail
Standard split80% affiliate / 20% core team
Data-theft-only split60% affiliate / 40% core team
Affiliate portalWeb-based panel with victim management, encryptor builder
RecruitmentDark web forums; experienced affiliates preferred

The data-theft-only tier — where affiliates run exfiltration without deploying the encryptor — is an unusual offering. It reflects the group’s assessment that the regulatory notification threat is independently valuable even without encryption pressure, particularly against healthcare organisations with resilient backup infrastructure.

Victim Profile

2026 activity:

  • 35+ claimed victims as of July 2026
  • 17 confirmed US healthcare organisations
  • Additional victims in financial services, legal, and local government

Targeting rationale: Healthcare prioritisation is deliberate. Protected health information creates HIPAA regulatory exposure that is specifically threatened in ransom communications. Hospital networks and outpatient care providers also tend to have strong operational pressure to restore systems quickly and lower incident response maturity than financial services firms.

Geography: Primarily North America (US, Canada), with secondary activity in UK and EU — jurisdictions where GDPR/UK GDPR creates equivalent regulatory pressure to HIPAA.

Initial Access Methods

Anubis affiliates use multiple initial access vectors:

  • Credential theft / phishing: Spearphishing delivering credential stealers or directing to fake M365 login pages, providing VPN or email access
  • Initial access broker purchases: Pre-obtained network access purchased from IAB marketplaces
  • Vulnerability exploitation: VPN appliance exploitation (Cisco ASA, Fortinet FortiGate, Ivanti), Citrix Netscaler, RDS
  • RMM compromise: At least two incidents involved entry through compromised RMM tools at third-party IT providers

Post-Intrusion TTPs

PhaseTechniques
DiscoveryADFind, BloodHound/SharpHound, network scanning
Credential accessLSASS dump (ProcDump, Mimikatz), DCSync, browser credential extraction
Lateral movementPsExec, WMI, RDP
PersistenceScheduled tasks, service creation, domain account manipulation
Exfiltrationrclone to Mega.nz or attacker-controlled cloud storage
Defence evasionEDR tampering via driver-based killers, Windows Defender disablement
ExecutionDomain-wide via PsExec or Group Policy, timed for off-hours

Regulatory Pressure Mechanism

Anubis’s communications to non-paying victims include explicit language notifying them that the group will contact the relevant regulatory authority with:

  1. A description of the data categories exfiltrated
  2. The number of individuals whose data was affected
  3. Evidence of the organisation’s breach awareness (the ransom communication itself)
  4. A claim that the statutory notification deadline has elapsed

The regulatory threat is most effective when the victim has not already assessed their notification obligations independently. Legal counsel with HIPAA or GDPR expertise should be part of IR retainer arrangements for organisations in targeted sectors — the regulatory dimension cannot be addressed by the technical IR team alone.

Known Infrastructure

  • Tor-based leak site with multi-stage victim listing (contacted → deadline → published)
  • Negotiation portal accessible via unique per-victim Tor URL in ransom note
  • Data exfiltration to Mega.nz in documented incidents

Detection and Response

For organisations responding to a suspected Anubis incident:

  • Isolate affected systems immediately — exfiltration and encryption may be concurrent
  • Preserve all logs from the initial access period (VPN, email, RMM audit trails) for regulatory purposes
  • Contact legal counsel before engaging with ransom demands — regulatory notification obligations must be assessed independently of payment decisions
  • Assume API keys and cloud credentials stored on affected systems are compromised — rotate before investigation concludes

For organisations assessing preventive posture:

  • Patch VPN appliances promptly; Anubis affiliates exploit known CVEs in Cisco ASA, Fortinet, and Ivanti products
  • Enforce MFA on all remote access — credential theft is the primary initial access path
  • Isolate backup infrastructure from domain admin accounts — Anubis affiliates target backup servers
  • Review third-party IT provider RMM security posture as a supply chain risk

Status

Active and expanding. Affiliate recruitment is ongoing. No law enforcement action specifically targeting Anubis has been publicly announced as of July 2026.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting