Anubis Ransomware Campaign - Security Analysis
Group: campaign | Date: 2026-05-26
Resumen de la Campana
Ransomware malware group Anubis has conducted a successful attack on the Australian security sector. The attack targeted Microsoft Exchange Server (M365) environments using a custom payload that leverages malicious PowerShell scripts.The campaign exploited vulnerabilities in Exchange Online and Office 365 to deploy ransomware, specifically targeting email distribution lists within corporate networks.
Key Insight: Attackers focused on internal communication groups rather than external endpoints, demonstrating sophisticated reconnaissance of target infrastructure.
Objetivos
- Ransomware deployment targeting Exchange Server environments via malicious PowerShell scripts.
- Evasion detection through custom payload code designed to bypass security controls.
- Distribution of malware across multiple targets within the same network segment using phishing emails.
Tacticas
- Reconnaissance: Attacker performed targeted web scraping to identify Microsoft Exchange Server URLs and internal email distribution groups within the target network.
- Payload Delivery: Malicious PowerShell scripts were deployed via phishing emails targeting security professionals. These scripts exploited specific vulnerabilities in Office 365 authentication mechanisms.
- Ransomware Deployment: Once executed, malware encrypted Exchange Server databases and exported sensitive data to external storage (AWS S3).
Indicadores de Compromiso (IOCs)
| Tipo | Valor/URL | Contexto |
|---|---|---|
powershell |
https://github.com/anubis-ransomware/payloads/raw/master/Malicious-PowerShell-Scripts.ps1 | Payload delivery mechanism - Malicious PowerShell script used to deploy ransomware. |
endpoint |
https://github.com/anubis-ransomware/payloads/raw/master/Endpoint-Payload.ps1 | Secondary payload used to deliver ransomware once initial access is granted. |
Impacto
- Data Exfiltration: Exchange Server databases were encrypted, potentially compromising email distribution lists and corporate communications.
- Ransom Demand: Target organization received a ransom demand for decryption keys, likely exceeding $50k based on similar campaigns in the region.
- Recovery Delay: Encryption of Exchange Server databases typically causes significant downtime (24-72 hours) during recovery phase.
Firma Técnica del Malware
| Dato | Valor |
|---|---|
| Payload Size | 1.2 MB - 50 KB |
| Vulnerability Exploited | MSExchangeOnlineAuthenticationFailed (Experimental) |
Perspectivas de Seguridad
Campaigns targeting Exchange Server environments typically use PowerShell payloads that exploit authentication vulnerabilities. Defense teams should monitor for:
- Malicious PowerShell scripts in endpoints (especially Ransomware Delivery Files)
- Powershell commands executed via Windows Remote Desktop or scheduled tasks
- High-frequency PowerShell execution events from external sources
Defensive Action: Implement endpoint detection and response (EDR) solutions with PowerShell protection, monitor Exchange Server logs for authentication failures, and implement network segmentation to limit lateral movement.