The Anubis ransomware-as-a-service (RaaS) operation has added to its file-encryptimg malware a
wiper module that destroys targeted files, making recovery impossible even if the ransom is paid.
The researchers found the wiper in the latest Anubis samples they dissected, and believe the feature was introduced to
increase the pressure on the victim to pay quicker instead of stalling negotiations or ignoring them altogether.
When activated, the wiper erases all file contents, reducing their sizes to 0 KB while keeping the filenames and structure intact.
The victim will still see all files in the expected directories, but their contents will be irreversibly destroyed, making recovery impossible.
The ransomware removes Volume Shadow Copies and terminates processes and services that could interfere with the encryption process.
