Full Report
Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. "Although tactics differ between affiliates, common patterns emerged in tradecraft through use of legitimate Remote Management and Monitoring (RMM) tooling, credential access, and hands-on-keyboard procedures used for lateral
Analysis Summary
# Tool/Technique: Anubis Ransomware Strategy
## Overview
Anubis is a Ransomware-as-a-Service (RaaS) operation that emerged in late 2024 as a rebrand of the "Sphinx" ransomware. The group utilizes a combination of sophisticated exploit code (Citrix Bleed 2), "living-off-the-land" techniques via legitimate Remote Management and Monitoring (RMM) tools, and a high-pressure "scorched-earth" wiper module to coerce payments.
## Technical Details
- **Type:** Malware Family (RaaS) & Technique (Vulnerability Exploitation)
- **Platform:** Windows, Citrix NetScaler ADC/Gateway, Cisco AnyConnect
- **Capabilities:** Authentication bypass, credential harvesting, lateral movement, persistent remote access, data exfiltration, and file wiping.
- **First Seen:** Late 2024 (Rebranded from Sphinx); Ransomware-as-a-Service formally announced February 2025.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (CVE-2025-5777)
- T1078 - Valid Accounts (VPN Credentials)
- **TA0003 - Persistence**
- T1219 - Remote Access Software (ScreenConnect, Zoho Assist, etc.)
- T1572 - Protocol Tunneling (Cloudflare Tunnel)
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools (Windows Defender/Sophos)
- T1070.001 - Indicator Removal: Clear Windows Event Logs
- **TA0008 - Lateral Movement**
- T1021.001 - Remote Services: Remote Desktop Protocol
- T1021.002 - Remote Services: SMB/Windows Admin Shares
- T1570 - Lateral Tool Transfer (PsExec)
- **TA0010 - Exfiltration**
- T1567 - Exfiltration Over Web Service (S3 Browser, rclone)
## Functionality
### Core Capabilities
- **Authentication Bypass:** Exploits CVE-2025-5777 (Citrix Bleed 2) to bypass Gateway/AAA virtual server authentication.
- **Remote Monitoring and Management (RMM) Abuse:** Uses legitimate tools (ScreenConnect, Zoho Assist, MeshAgent) to maintain access without triggering traditional malware alerts.
- **Data Exfiltration:** Leverages multi-protocol transfer tools like `rclone` and `s5cmd` to move data to cloud storage.
### Advanced Features
- **Wiper Mode (/WIPEMODE):** An irreversible module that reduces files to 0 KB. Unlike standard encryption where keys can be bought, this feature is used as a "scorched-earth" threat to force payment before activation.
- **Defense Evasion (BYOVD):** Use of PCHunter and other drivers to disable EDR/AV solutions (Sophos, Windows Defender).
- **Anti-Forensics:** Automatic deletion of the ransomware encryptor post-execution to prevent binary analysis.
## Indicators of Compromise
- **File Names:** `cloudflared.exe`, `rclone.exe`, `s5cmd.exe`, `PCHunter.exe`
- **Network Indicators:**
- AS20473 — The Constant Company
- AS55286 — ServerMania
- Cloudflare Tunnel connections (Defanged: `*.cloudflare[.]com`)
- **Behavioral Indicators:**
- Unauthorized `PsExec` service creation.
- Deployment of multiple RMM agents on a single host.
- Large-scale directory reduction to 0 KB.
- Unexpected `SophosUninstall` activity.
## Associated Threat Actors
- **Anubis (formerly Sphinx)**
- **The Gentlemen** (Mentioned as using similar TTPs)
## Detection Methods
- **Behavioral Detection:** Monitor for "Living-off-the-land" (LotL) binaries making external connections, particularly RMM tools not authorized in the environment.
- **Log Analysis:** Audit VPN logs for logins from high-risk Hosting/VPS ASNs (ServerMania, etc.).
- **Process Monitoring:** Detect the disabling of Windows Defender real-time protection via PowerShell or Registry.
## Mitigation Strategies
- **Patch Management:** Immediate patching of Citrix NetScaler (CVE-2025-5777) and Cisco AnyConnect vulnerabilities.
- **Access Control:** Implement Phishing-Resistant Multi-Factor Authentication (MFA) for all VPN and RMM access.
- **Software Restriction:** Use Application Allowlisting to block unauthorized RMM tools (e.g., ScreenConnect, UltraVNC) and Cloudflare Tunnels.
- **Hardening:** Disable SMBv1 and enforce SMB signing to mitigate lateral movement via PsExec.
## Related Tools/Techniques
- **Citrix Bleed 2 (CVE-2025-5777)**
- **Cloudflare Tunnel (cloudflared)**
- **S3 Browser / Rclone**
- **Living-off-the-land (LotL)**