CyberSecurity SEE

Ransomware Groups Adopt Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Ransomware Groups Adopt Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Anubis Ransomware Operation: Exploiting Vulnerabilities for Malicious Gains

The Anubis ransomware operation has recently been identified as actively leveraging the Citrix Bleed 2 vulnerability (CVE-2025-5777) to gain initial access into targeted systems. This critical vulnerability allows attackers to bypass authentication structures when the Citrix appliance is configured either as a Gateway or AAA virtual server, thereby raising significant concerns about the security of numerous organizations reliant on Citrix products.

In a report released this week, Arctic Wolf detailed the tactics adopted by the threat actors affiliated with Anubis, noting significant variances in methods employed by individual affiliates. Nonetheless, commonalities emerged in their overall strategy. These include extensive utilization of legitimate Remote Management and Monitoring (RMM) tools such as ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment. By employing these tools, the attackers seamlessly blend their malicious activities with routine IT operations, maintaining undetected access to victim systems.

Anubis, a rebranding of the previously known Sphinx ransomware, made its formal entrance into the cybercrime scene in late 2024. The operation was announced on the Ransomware and Advanced Malware Protection (RAMP) underground forum in February 2025. Since its inception, Anubis has reportedly claimed 91 victims on its data leak site, with a notable spike of 11 victims registered in June 2026 alone. The sectors most affected by this surge in ransomware activity include healthcare, business services, manufacturing, technology, and financial services. Alarmingly, over half of Anubis’s victims are situated in the United States, followed closely by the United Kingdom, Australia, France, and Canada.

In its operations, Anubis has garnered attention not just for its exploitation capabilities, but also for its lucrative model offered to affiliates. A report published by Rubrik Zero Labs highlights that Anubis provides an attractive profit-sharing arrangement, granting affiliates 80% of the ransom amounts collected. This financial incentive is coupled with a distressing feature known as the irreversible data-wiping component, designed to exert additional pressure on victims to comply with ransom demands. When activated, the /WIPEMODE module renders files inert—reduced to a 0 KB size, irrespective of whether the ransom is paid. This tactic places immense pressure on affected organizations, pushing them to act swiftly to avoid complete data loss.

The cybersecurity breaches attributed to Anubis in the current year not only involve the exploitation of the Citrix Bleed 2 vulnerability but also make effective use of valid VPN credentials. While the origins of these credentials remain unclear, they could potentially have been obtained through a prior compromise, acquired from Initial Access Brokers (IABs), or generated through credential stuffing attacks or information-stealer malware. Notably, incidents involving malicious VPN authentication have been traced back to several hosting ASNs, including The Constant Company and ServerMania, as highlighted by Arctic Wolf.

Following these initial compromises, attackers typically proceed to perform logging activities involving RDP (Remote Desktop Protocol) and SMB (Server Message Block), paving the way for credential access. Subsequent actions include the creation of PsExec services, deployment of RMM tools, and ultimately, the invocation of cloud transfer tools designed for data exfiltration. The methodology underscores a carefully orchestrated approach aimed at solidifying persistent access before the deployment of ransomware.

The threat actors employ tactics that include not only lateral movements using RDP and PsExec but also the installation of various RMM tools, allowing them to transfer files and execute code unnoticed. Tactical elements also involve configuring Cloudflare Tunnels to establish hidden pathways into victim environments. In a further push to optimize their operations, the attackers diligently collect credentials that enable them to extend their reach deeper into the compromised systems. Tools such as S3 Browser, rclone, s5cmd, WinSCP, and PuTTY are routinely deployed for the data transfer processes preceding ransomware execution.

Amidst these malicious activities, methods aimed at disabling system defenses are employed, complicating efforts for any future incident analysis. Such strategies may include disabling Windows Defender’s real-time protection, engaging in SophosUninstall activities, creating PCHunter-related artifacts, and manipulating or erasing logs across multiple systems. In at least one incident, an Anubis encryptor was deleted post-execution, further limiting the opportunity for forensic investigation.

Implications of Emerging Cyber Threats

As the Anubis operations intensify, they exemplify a broader trend in the evolution of ransomware tactics, illustrating how modern cybercriminal groups are adapting and enhancing their approaches to leverage both advanced tools and established vulnerabilities. This case underscores the necessity for organizations to maintain robust security frameworks, including regular vulnerability assessments and updated security protocols, to combat the increasingly sophisticated methods employed by ransomware groups.

As the landscape continues to evolve, the combination of lucrative profit-sharing models, advanced exploitation techniques, and strategic partnerships among factions within the ransomware-as-a-service (RaaS) ecosystem suggests that organizations worldwide must stay vigilant and proactive in their cybersecurity efforts.

Source link

Exit mobile version