Anubis RaaS: When Ransomware Weaponizes the Regulator — A Direct Threat to Saudi Financial Institutions

A ransomware group has crossed a line that most threat actors have not dared to cross: Anubis RaaS does not simply encrypt your systems and demand payment — it threatens to file formal complaints with financial regulators, data protection authorities, and sector oversight bodies unless victims pay within its deadline. For SAMA-regulated banks and financial institutions in Saudi Arabia, this is not a theoretical scenario. It is an operational threat that arrived in full force during April 2026.

What Is Anubis — and Why It Is Different From Every Other RaaS Group

Anubis emerged as a ransomware-as-a-service operation in late 2024 and quickly distinguished itself through a multi-layered monetization model that goes far beyond traditional double extortion. Where most ransomware affiliates encrypt data and threaten to leak it, Anubis operates three parallel revenue channels simultaneously. First, affiliates deploy the ransomware encryptor and demand a decryption ransom, keeping roughly 80% of proceeds. Second, stolen data is monetized through a standalone extortion program, independent of whether encryption was ever deployed. Third, affiliates can sell compromised network access directly through an access brokerage channel — meaning an Anubis affiliate may sell your bank's credentials to a second threat actor before the first ransom conversation even begins.

The group's technical capabilities compound the pressure. Anubis includes an optional wipe mode that permanently zeroes out file contents while leaving filenames visible — an act of deliberate psychological warfare. Files appear to exist but are irrecoverable. This means organizations that decline to pay face not just lost data, but provably destroyed data, with forensic evidence preserved on disk to demonstrate the loss.

The Regulatory Extortion Innovation

The feature that distinguishes Anubis from every predecessor is its explicit threat to notify regulatory bodies. In documented cases, Anubis has threatened to report victims to the UK Information Commissioner's Office (ICO), the U.S. Department of Health and Human Services (HHS), the European Data Protection Board (EDPB), Canada's Office of the Privacy Commissioner (OPC), and Australia's Office of the Information Commissioner (AOIC). The tactic is methodical: the group calculates that the reputational and financial consequences of a regulatory breach notification often exceed the ransom demand itself, creating asymmetric leverage that organizations in heavily regulated sectors find difficult to resist.

For a SAMA-regulated bank in Saudi Arabia, this calculation is acutely painful. A confirmed breach of customer financial data triggers mandatory notification obligations under SAMA's Cyber Security Framework (SAMA CSCC), NCA's Essential Cybersecurity Controls (ECC-1:2018), and the Personal Data Protection Law (PDPL). Non-compliance with notification timelines carries administrative penalties. Notification itself can trigger depositor concerns, counterparty scrutiny, and reputational damage that dwarfs the cost of a ransom. Anubis has effectively turned the regulatory environment that protects customers into a weapon against the institutions that serve them.

Attack Chain and Entry Vectors Used by Anubis Affiliates

Anubis affiliates do not rely on a single intrusion method. Observed entry vectors include exploitation of unpatched edge devices (VPNs, firewalls, remote desktop gateways), phishing campaigns delivering initial access loaders, and purchased access from prior breaches — the group's own access brokerage channel creates a recursive supply loop. Once inside, affiliates conduct extended dwell periods averaging 14 to 21 days, mapping Active Directory, exfiltrating data via encrypted channels to Anubis-controlled infrastructure, and staging the encryptor payload for maximum impact deployment. In the Signature Healthcare attack of April 2026, electronic medical records went offline, appointments were cancelled, chemotherapy infusions were postponed, and ambulances were diverted — all within hours of the encryptor triggering. Critically, Anubis publicly stated it did not encrypt systems in that incident; the disruption was caused entirely by the victim organization's own containment response to data theft alone, illustrating that encryption is no longer required to cause operational paralysis.

Implications for Saudi Financial Institutions Under SAMA CSCC and PDPL

SAMA's Cyber Security Framework requires member organizations to maintain documented incident response plans (Domain 3.3), implement data loss prevention controls (Domain 3.6), and demonstrate cyber resilience capabilities including tested backup and recovery procedures (Domain 3.7). NCA's ECC framework similarly mandates logging, monitoring, and defined response timeframes. Against an Anubis-style attack, several gaps commonly observed in Saudi financial institutions become critical failure points. Organizations that have not segmented their data environment risk losing customer financial records, transaction histories, and identity data in a single lateral movement. Institutions that have not tested their incident response runbooks under a data-exfiltration-without-encryption scenario — which is precisely how Anubis operated in healthcare — will discover response gaps only after the attacker has already notified the press and the regulator. Under PDPL, any breach affecting personal data of Saudi residents must be reported to the Saudi Data & AI Authority (SDAIA) within a defined window. Failure to self-report while an adversary threatens to do so on your behalf creates a compliance scenario with no clean exit.

Tactical Recommendations for Saudi Financial CISOs

1. Activate data exfiltration detection immediately. Deploy or tune DLP and network detection and response (NDR) tools to alert on large-volume outbound data transfers over encrypted channels — particularly to cloud storage endpoints, MEGA, and Tor exit nodes favored by Anubis affiliates. Tools such as Zeek, Suricata, or commercial NDR platforms from Darktrace and Vectra can detect command-and-control beaconing consistent with Anubis infrastructure.
2. Run a tabletop exercise focused on regulatory extortion. Your IR plan almost certainly covers encryption. It likely does not cover the scenario where an adversary threatens to notify SAMA, NCA, or SDAIA before you do. Rehearse the decision tree: Who authorizes voluntary self-disclosure? What is your communications posture when a threat actor publishes a leak timer? This is a legal and reputational decision, not just a technical one.
3. Audit your backup architecture for exfiltration exposure. Anubis wiper mode makes unprotected backups your last line of defense — but backup servers are often targeted first during dwell periods. Ensure backups are stored in isolated, append-only storage with no network reachability from production environments. Test restoration time against your SAMA RTO/RPO obligations.
4. Map your PDPL notification obligations to your incident response SLA. Establish the exact clock-start conditions that trigger PDPL reporting requirements. Pre-draft notification templates. Identify your legal counsel, your SAMA relationship manager, and your SDAIA contact before an incident, not during one.
5. Validate third-party and supply chain access controls. Anubis affiliates frequently enter through vendor access. Review all third-party connections with privileged access to your environment. Apply the principle of least privilege, enforce MFA on every vendor-facing gateway, and ensure vendor contracts include mandatory breach notification obligations aligned to your own regulatory deadlines.

Conclusion

Anubis represents a maturation in the ransomware threat landscape that demands a corresponding maturation in how Saudi financial institutions think about cyber resilience. The group has weaponized the very regulatory environment designed to protect customers and turned compliance obligations into leverage. The answer is not to pay — payment funds further attacks and creates no guarantee of non-disclosure. The answer is to build the detection, response, and governance capabilities that deny Anubis the leverage it depends on: fast detection that cuts dwell time, robust data classification that limits exfiltration scope, and a practiced response plan that puts you in control of your own regulatory narrative.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and evaluate your current posture against the Anubis threat model before it arrives at your perimeter.