What makes the ANUBIS ransomware group particularly dangerous?

ANUBIS represents a critical threat because it operates a dual-threat RaaS model. Beyond standard ECIES-based encryption, the malware includes a dedicated wiping capability (/WIPEMODE). When this argument is executed, the malware permanently overwrites files to 0 KB, rendering recovery mathematically impossible even if a ransom is paid. This extreme mechanism is used to force compliance during extortion negotiations.

How can organizations detect ANUBIS activities before encryption begins?

Security teams can monitor for specific indicators of compromise (IoCs), such as the deletion of Volume Shadow Copies via vssadmin commands, and process creation events matching the signature Go-based command parameters (/KEY=, /WIPEMODE, and /elevated). Additionally, monitoring for high-volume outbound data flows to unauthorized cloud storage providers can help intercept the exfiltration stage before the ransomware payload is detonated.

Back to Threat Intelligence

ransomwarehigh

ANUBIS Ransomware Threat: Inside the Quest Health Attack

ANUBIS ransomware has targeted Quest Health Solutions, exfiltrating 239 GB of sensitive operational data. Operating under a dual-threat encryption and wiping model, this Go-based malware poses severe risks to healthcare infrastructure. Explore the technical attack chain, SIEM detection rules, and containment steps.

Published: June 25, 2026Source date: June 24, 2026Check your domain

ANUBIS Ransomware Threat: Inside the Quest Health Attack

Key Takeaways

The ANUBIS ransomware group targeted Quest Health Solutions, exfiltrating 239 GB of sensitive data with a 2-3 day publication deadline.
ANUBIS utilizes a unique /WIPEMODE parameter that permanently destroys data by overwriting files to 0 KB, eliminating decryption recovery paths.
The Go-based threat actor terminates database and backup services like Veeam and SQLSERVERAGENT, and clears Volume Shadow Copies using vssadmin.

Original source screenshot for ANUBIS Ransomware Threat: Inside the Quest Health Attack — Original source screenshot - om6q4a6cyipxvt7ioudxt24cw4oqu4yodmqzl25mqd2hgllymrgu4aqd.onion

Threat Actor Profile: ANUBIS

ANUBIS Ransomware Group

aka Sphinx

Origin: CIS-aligned (Russian-language underground forums RAMP/XSS)
Motivation: Financial (RaaS with flexible affiliate splits)
Targets: Healthcare & PharmaceuticalsEnterprise Networks
TTPs: Go-based payload with active-directory scanningVolume Shadow Copy deletion (vssadmin)Critical backup & DB service terminationMandatory command-line /KEY parameter check

Quest Health Solutions Incident Impact

Stolen Data Archive

0 GB

Negotiation Deadline

0 Days

WIPEMODE File Size

0 KB

ANUBIS Ransomware Kill Chain

1Initial Entrymedium
Spear-phishing or unpatched VPN/RDP
medium
2Execution & Eschigh
Go executable, token manipulation
high
3Evasion & Discoveryhigh
Stops DB/backup services, deletes VSS
high
4Data Thefthigh
Stages and exfiltrates 239 GB of data
high
5Impact Executioncritical
ECIES encryption or destructive /WIPEMODE
critical

ANUBIS Adversary Tactics & Techniques

Initial Access

T1566

Phishing

T1190

Exploit Public-Facing Application

T1078

Valid Accounts

Privilege Escalation

T1134

Access Token Manipulation

Defense Evasion

T1562.001

Impair Defenses: Disable or Modify Tools

Impact

T1486

Data Encrypted for Impact

T1485

Data Destruction

T1490

Inhibit System Recovery

T1489

Service Stop

Multi-Layered Defense and Remediation Framework

L1
Perimeter Security
Conduct professional penetration tests on RDP and VPN gatewaysFilter spear-phishing and monitor dark web credentials
L2
Endpoint & Active Monitoring
Deploy SIEM detection for vssadmin shadow deletionsMonitor process arguments for /KEY=, /WIPEMODE, and /elevatedTrack unauthorized edits to HKLM System Wallpaper registry values
L3
Data & Business Resilience
Maintain offline, out-of-band, or immutable backupsIsolate restoration test environments completely before recovery

ANUBIS Ransomware Hits Quest Health Solutions | Femto Security Threat Intelligence

ANUBIS Ransomware Threat: Inside the Quest Health Attack

ANUBIS Ransomware Threat: Inside the Quest Health Attack

Key Takeaways

Threat Actor Profile: ANUBIS

Quest Health Solutions Incident Impact

ANUBIS Ransomware Kill Chain

ANUBIS Adversary Tactics & Techniques

Multi-Layered Defense and Remediation Framework

How to Defend Against Similar Threats

Threat Intel FAQ

Could a similar threat affect your organization?