
In the ever-changing landscape of cybersecurity threats, a new and increasingly alarming business model has emerged on the dark web. Anubis, an affiliate program discovered by F6’s Threat Intelligence team, represents a significant shift in how cybercriminals are monetizing their hacks. Unlike traditional ransomware attacks that demand payment for the decryption of locked data, Anubis offers something new and even more sinister: "Data Ransom." This innovative blackmail scheme targets companies by exploiting sensitive data, without immediately using ransomware encryption. Instead, Anubis separates the process of stealing data from the ransom negotiation itself, creating a dangerous new weapon for cybercriminals.
The Birth of Anubis: A New Affiliate Program
Anubis operates under the familiar Ransomware as a Service (RaaS) model, where cybercriminals (referred to as partners) can rent malware for a share of the ransom proceeds. However, Anubis diverges from traditional ransomware programs by introducing a unique business model. The initial offering within Anubis mirrors standard RaaS schemes: partners are given a specially crafted encryption tool that they can deploy to lock victims' files and demand a ransom. This is the typical ransomware business model that has plagued organizations globally for years.
But it’s Anubis’ second offering, the "Data Ransom" service, that is causing alarm in the cybersecurity community.
Data Ransom: The New Blackmail Service
The Data Ransom model takes a different approach. Instead of relying on encryption to hold a company’s data hostage, cybercriminals who have already infiltrated a company’s network and stolen sensitive information can pass that data to Anubis. The program then facilitates negotiations for a ransom with the targeted company. This separation of the hacking and blackmail stages provides new opportunities for cybercriminals and adds an extra layer of complexity for victims.
The key feature of the Data Ransom model is the arsenal of pressure tactics that Anubis offers to its partners. Rather than immediately demanding money for data decryption, the Anubis program allows hackers to apply considerable pressure on the victim organization by leveraging the stolen data. These tactics include:
- Notifying the company's business partners
- Informing customers
- Alerting regulatory authorities about the breach
- Disclosing the data on social media platforms
By creating a system where the negotiation and extortion of victims are outsourced to Anubis, hackers can continue their operations with fewer risks and greater profits.
The Economic Structure of Anubis
The financial model behind Anubis follows the well-established practices of RaaS programs, where the malware developers take a cut of the ransom payments. In the traditional RaaS model, the partner who uses the malware to launch an attack receives the lion’s share of the ransom—usually around 80%. The remaining 20% goes to the creator of the ransomware.
In Anubis’ Data Ransom model, the financial split is slightly different. Here, the partner who provides the access to the target company receives 60% of the ransom, while Anubis retains 40%. This change reflects the added value of having a dedicated team handling the ransom negotiations and the leverage of using stolen data as a bargaining tool.
However, there are significant restrictions placed on partners. For instance, the program explicitly prohibits attacks against:
- Countries that were once part of the Commonwealth of Independent States (CIS)
- The BRICS nations (Brazil, Russia, India, China, and South Africa)
This restriction, while rare in other blackmail programs, indicates that the Anubis operators are trying to avoid targeting politically sensitive regions or nations with advanced cybersecurity capabilities.
The Evolution of Anubis: A Link to InvaderX
F6 analysts believe that Anubis may be the next evolution of the InvaderX partner program, another dark web service that had operated under a similar RaaS model. Several clues suggest a connection between the two programs, including the use of the same encryption algorithm: ECIES (Elliptic Curve Integrated Encryption Scheme). This encryption method is relatively rare in ransomware attacks, and its use in both programs suggests that Anubis could be a rebranded or upgraded version of InvaderX.
Another similarity is the prohibition against targeting BRICS nations, which is an uncommon feature in most dark web affiliate programs. Moreover, the InvaderX program had ceased activity in late 2024, while the Anubis program only emerged in early 2025, with a new user—known as superSonic—registering on the forums and introducing Anubis as its flagship offering.
The fact that participants in the Anubis program have already begun to leak data from at least four companies in the U.S., Australia, and Peru is a concerning development. These leaks, which occurred shortly after the program's launch, highlight the real-world implications of Anubis' existence and its potential for widespread damage.
Anubis and the Changing Landscape of Cybersecurity
The introduction of Data Ransom represents a chilling evolution in the world of cybercrime. Traditional ransomware attacks have been devastating for organizations, with cybercriminals demanding hefty sums for the return of encrypted data. However, with Data Ransom, the extortion is not tied to the release of encrypted files, but to the threat of exposing sensitive data to the public and various stakeholders.
This shift in the cybercriminal ecosystem poses significant challenges for cybersecurity professionals and companies alike. With the growing sophistication of ransomware and data extortion schemes like Anubis, it is becoming increasingly difficult for organizations to defend against these threats. Not only must they safeguard their networks from initial breaches, but they must also develop comprehensive response strategies for managing the fallout if and when their data is stolen and exposed.
As organizations grapple with these evolving threats, it is crucial to stay informed about the latest developments in cybercrime and bolster defenses against these emerging tactics. This includes:
- Implementing strong cybersecurity measures
- Conducting regular security audits
- Educating employees about phishing and social engineering attacks
- Preparing incident response plans for potential data breaches
Conclusion: The Need for Vigilance and Adaptability
Anubis represents a new breed of cybercrime that combines the traditional ransomware model with new, more complex tactics. By outsourcing the ransom negotiation process and leveraging stolen data, Anubis offers cybercriminals a more flexible and potentially more profitable approach to extortion. Organizations must be aware of these developments and remain vigilant in defending against these evolving threats.
As the cybercrime landscape continues to shift, only those who adapt and strengthen their defenses will be able to safeguard their data and their reputation in an increasingly hostile digital world.
Comments 0