Anubis Ransomware Adds Wiper: Critical Risk to SAMA Banks

A new ransomware-as-a-service operation called Anubis has rewritten the playbook by embedding a destructive file wiper into its encryptor. For SAMA-regulated banks, the strategic implication is severe: paying the ransom no longer guarantees recovery, which forces a hard rethink of business continuity, backup integrity, and incident response readiness.

What Makes Anubis Ransomware Different

Anubis emerged in late 2024 and rapidly evolved from a conventional double-extortion crew into something more aggressive. Unlike most ransomware families that rely on the implicit promise of decryption to monetize victims, Anubis ships an optional /WIPEMODE parameter that permanently shreds file contents while keeping the original filenames and directory structure intact. The result is a victim who sees their data still "there" on disk, but every byte is irrecoverable. This destroys the classic ransomware bargain and pushes the threat into wiper-attack territory normally associated with state-sponsored sabotage.

The Affiliate Model and Monetization Paths

Anubis runs a flexible affiliate program with three monetization tracks: a standard 80% RaaS payout for full encryption operations, a 40% data-extortion-only path, and a 50% post-compromise extortion option. Initial access is overwhelmingly delivered through spear-phishing emails with weaponized attachments or links, typical Microsoft 365 credential-harvesting lures, and abuse of weak VPN or remote access exposures. Once inside, the operators run a directory enumeration pass with a hardcoded exclusion list to avoid corrupting Windows recovery components, then exfiltrate data before deciding whether to encrypt, wipe, or both.

Impact on Saudi Financial Institutions

For banks supervised under the SAMA Cyber Security Framework and the SAMA Cyber Security Control Catalogue (CSCC), an Anubis-style attack hits multiple control domains simultaneously. The wiper component directly threatens SAMA CSCC requirements around data integrity, backup and recovery, and incident response (controls 3.3.10 through 3.3.13 cluster). The double-extortion data-leak component triggers PDPL breach-notification obligations to the Saudi Data and Artificial Intelligence Authority within 72 hours, and parallel reporting duties under the NCA Essential Cybersecurity Controls (ECC-1:2018) for critical national infrastructure operators. The reputational damage to a Saudi bank that suffers irreversible customer data destruction would be catastrophic in a market where trust is the core franchise asset.

Defensive Recommendations for SAMA-Regulated Banks

1. Validate immutable backups. Verify that backup repositories are protected by object-lock, air-gapped storage, or write-once technology so that an Anubis affiliate with domain admin cannot trigger the wiper against your last line of defense. Test full restoration of a tier-one banking application end-to-end at least quarterly, as required under SAMA CSCC backup management controls.
2. Harden email and identity perimeters. Enforce phishing-resistant MFA (FIDO2 or certificate-based) for all administrative and remote access. Deploy DMARC at p=reject, enable Microsoft Defender for Office 365 Safe Links and Safe Attachments, and ensure your security awareness program includes simulated spear-phishing tied to financial themes relevant to Saudi staff.
3. Segment privileged access. Implement a tiered administrative model with a Privileged Access Management (PAM) solution gating all Tier-0 operations. Anubis affiliates rely on lateral movement to reach file servers and backup infrastructure; flat networks accelerate the kill chain dramatically.
4. Deploy EDR with behavioral wiper detection. Modern EDR platforms can flag mass file-overwrite patterns, shadow-copy deletion via vssadmin, and unusual writes to backup volumes. Tune detections specifically for the /WIPEMODE behavioral signature of large sequential overwrites with constant-byte patterns.
5. Pre-stage incident response and regulatory communications. Maintain a SAMA-aligned incident playbook that includes pre-approved breach notification templates for SAMA, SDAIA (PDPL), and the National Cybersecurity Authority. Run tabletop exercises that explicitly model the "ransom paid but data wiped anyway" scenario.
6. Conduct adversary-emulation testing. Engage qualified red teams to simulate Anubis TTPs end-to-end, from spear-phishing initial access through to attempted backup destruction, with realistic exfiltration of synthetic data. This validates the entire control chain rather than testing controls in isolation.

Conclusion

Anubis represents a meaningful evolution in the ransomware threat landscape: when destruction becomes a monetization lever rather than just a threat, traditional ransom-payment risk transfer collapses. Saudi banks operating under SAMA, NCA, and PDPL obligations cannot afford to wait for a Saudi-specific Anubis incident before adjusting controls. The defensive playbook is well understood — immutable backups, phishing-resistant MFA, network segmentation, behavioral EDR, and tested incident response — but the urgency has materially increased.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a targeted ransomware-resilience review aligned to your current control baseline.