Menu
Browse

Cyber Threat Actor: Anubis

Actor Type Location Known Incidents
 Icon
Criminal
Russia
1 incident
Profile

Anubis is a ransomware group that operates under the alias Anubis and has been linked to Russia in the limited attribution information available to analysts. The group first entered public view when it compromised the network of Langley Twigg Law, a New Zealand‑based law firm, on the date 2026-01-11. During the breach, the actors exfiltrated a broad set of sensitive files, including passport scans, internal operational records, client correspondence, financial statements, human‑resources data, and employee compensation details. The affected organization detected the anomalous activity, promptly isolated the compromised systems, restored operations from clean backups after applying additional hardening measures, engaged a digital forensics team, and notified the privacy commissioner and police while preparing to inform affected individuals once the review of the copied material is finished.

Anubis announced responsibility for the intrusion on its leak site, where it provided an itemized list of the stolen data and emphasized its reliance on sensitive exposure coupled with an optional wipe mode to increase pressure on the victim. The disclosed approach reflects a double‑extortion ransomware model in which encryption is paired with the threat of public release, a tactic that has become common among financially motivated criminal groups. Public reporting does not specify the initial‑access vector used in this case, nor does it name any additional malware families beyond the Anubis ransomware payload itself. Attribution to Russia is the only geographic detail that has been stated explicitly; no connections to state sponsors, intelligence services, or larger criminal consortia have been established in open sources.

The Langley Twigg Law incident remains the sole publicly documented operation attributed to Anubis, limiting the ability to draw broader conclusions about the group’s behavior. It demonstrates that the actors have, at least once, targeted a professional‑services entity in the Oceania region, specifically a law firm handling confidential client information. The victim’s response—system isolation, backup restoration after hardening, forensic investigation, regulator notification, and planned client communication—matches the standard incident‑handling steps recommended for ransomware events. Because no further campaigns have been reported, any inference about the group’s preferred sectors, strategic objectives, or operational scale would constitute speculation and is therefore omitted from this profile.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources