Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
Author: Luca Stivali, Raffaela Crisci, Lorenzo Nardi
During the preliminary exchange leading up to the interview, Anubis expressed a very clear position regarding the collapse of several historical platforms within the ransomware ecosystem and the real meaning behind recent shutdowns. According to the operator, the closure of forums such as RAMP had no tangible impact on the business of active groups: “some programs shut down, others are created. The people remain the same, only the brands change.”
Anubis claims to have directly paid the RAMP administrator for advertising services, without receiving any refund after the platform’s seizure, openly accusing him of technical incompetence and lack of integrity. In particular, a scenario of amateur infrastructure management is described, with user databases stored unencrypted and systems lacking even minimal security controls — elements which, according to Anubis, made the forum’s shutdown not only foreseeable, but almost inevitable.
As for LockBit, the judgment is even harsher. While acknowledging its historical role as one of the most solid and structured RaaS operations in the past, Anubis now defines it as a relic of the industry, no longer respected within the CIS sphere and reduced to a caricature of its former self. Recent accusations of rebranding (DarkSide / BlackCat) are dismissed as desperate attempts to discredit competitors, based on assumptions without evidence.
The message that emerges is clear: in modern ransomware, names no longer matter — people, skills, and the ability to operate within a fluid ecosystem do. Affiliates, access brokers, and operators move rapidly from one platform to another. The brand changes; the essence remains.
The Anubis ransomware group presents itself as an “atypical” RaaS actor, distant from the dynamics of scale, aggressive marketing, and open competition that have characterized much of the ransomware ecosystem in recent years. During the interview, Anubis claims to operate as a closed, selective structure focused exclusively on profit, rejecting the “cartel” label and explicitly distancing itself from both competitors and the visibility-driven dynamics typical of major leak sites.
According to its own statements, Anubis does not use destructive wipers against production data, but only modules designed to delete backups, with the goal of preventing restoration without compromising monetization opportunities.
Anubis describes itself as a closed group, uninterested in scale, visibility, or mass recruitment. The objective is purely economic, with increasing emphasis on the exploitation of exfiltrated data rather than simple encryption.
This vision aligns with a broader trend: ransomware evolving into a tool for data extortion, where encryption becomes secondary. Anubis’s statements are consistent with what has been observed in several recent cases, suggesting that — beyond the brand — the operational model is indeed shifting in this direction.
The interview with Anubis offers neither reassurance nor simple solutions. On the contrary, it delivers a raw and coherent picture of a ransomware ecosystem that is progressively moving away from the spectacle of mass encryption and toward what truly generates value: data, reputational pressure, and control over information.
Beyond the statements — which must always be read with necessary critical distance — several elements are difficult to ignore. The first is that security does not fail due to a lack of technology, but because of structural, organizational, and cultural shortcomings. Weak passwords, outdated systems, lack of monitoring, and lack of awareness continue to represent the true point of entry, even in environments that should be protected by strict regulatory frameworks.
In summary, the interview that follows provides a rare and direct insight into how Anubis interprets itself and the ransomware market. As always in CTI, such statements should not be read as absolute truths, but as indicators of mindset, strategy, and internal perception — to be assessed against technical data, observed victims, and the real dynamics of the criminal ecosystem.
Finally, this conversation confirms a now evident trend: the future of ransomware lies not in the brute force of malware, but in the ability to read contexts, exploit human weaknesses, and transform information into economic leverage. Ignoring this evolution — or reducing it to slogans — means paving the way for future incidents.
Understanding does not mean justifying.
But without understanding, there is no effective defense.
RHC: Hello, and thank you for giving us the opportunity to interview you. In many of our interviews with threat actors, we usually start by asking about the origin and meaning of their group’s name. Could you share with us the story behind yours?
ANUBIS: I have already answered the press on this question once, and my answer sounded like this: People always crave a story, don’t they? Yes, I understand exactly what you’re asking. We developed our platform under strict secrecy, operating under the codename “Project_Pyramid.” That project consisted of two core elements: an independent media outlet called “Anubis” — our blog — and an encryption suite known as “Sphinx.” As the project evolved, we abandoned the idea of separating the software from the blog and merged everything under one name: Anubis. Why the Egyptian theme? Probably because encrypted data often looks like complex patterns — almost like ancient hieroglyphs that only the initiated can decipher. Anubis, after all, is the ancient Egyptian god of death, embalming, and the guide of souls to the afterlife. In our mythos, companies that refuse to cooperate inevitably collapse under the weight of their own decisions — escorted into their corporate “afterlife.” Quietly. Inevitably. Just like the ancient guardian leading souls across the sands of the Nile. But let’s step away from mythology and back into reality. Unlike the god Anubis — we are no myth.
RHC: If you were to advise a company on where to start in order to become resilient against cyberattacks like yours, what would you recommend?
ANUBIS: This may sound a bit rude, but I would advise removing idiots from IT departments and cybersecurity teams. We attack dozens of companies every day, and more than half of them fall into our hands because of human stupidity — weak passwords like Welcome123. Today, two companies paid me, both of which had the domain administrator password set to Welcome123. Welcome2025 is no better. That’s shameful. After payment, we also provide the company with a penetration testing report of their corporate network, including our recommendations for strengthening their security. Understand me correctly: our task is to attack, not to defend. We are on the other side.
RHC: We conduct these conversations to help our readers understand that cybersecurity is a highly technical field, and that to win the fight against cybercrime, we need to be stronger than you—who are often, as is well known, one step ahead of everyone else. Is there anything you would like to say to our readers or to potential victims of your operations?
ANUBIS: As I mentioned above, a lot depends on the human factor. You can deploy the strongest EDR solution, update your software on time, and install monitoring systems. But one weak password, one open door — and we will get in.
RHC: Kevin Mitnick demonstrated that social engineering is, to this day, the most powerful hacking tool ever created. Despite the increasing sophistication of defensive technologies -often easy to deploy and highly effective- the human factor remains the weakest link in any security chain. In your view, what absolutely cannot be missing from a modern Cybersecurity Awareness program? Which concepts, lessons or behavioral principles are essential to build real, long-lasting awareness of cyber risk within an organization?
ANUBIS: Yes, Kevin was right. That’s exactly how it is. We hack not only systems, but people as well. In many ways, it’s even easier — and just as interesting. Many employees don’t want to understand how things work; they don’t take cybersecurity seriously. Conditionally speaking, you are a cybersecurity journalist, I am a hacker. But the girl at the reception desk in a hotel or a hospital has no idea how this digital world works. She’s simply not interested. Many people don’t think about danger until it affects them personally. Until people start taking cybersecurity seriously, attacks will continue on the same scale. I think an analogy can be made with a respiratory virus — until everyone gets sick and develops herd immunity, the virus won’t disappear. It’s the same here. Until people have a clear understanding and knowledge of cybersecurity, they will continue to become victims of hackers.
RHC: Recent studies indicate a clear trend: the cybersecurity business seems increasingly oriented toward investing in defensive capabilities rather than paying ransoms. Even many compromised companies now publicly state that they prefer a “lesson learned” approach, using the value of the ransom they refuse to pay to strengthen their security posture. From your perspective, why does it still make sense to invest resources, time and technical development into ransomware operations if ransom payments are becoming statistically less frequent? What is the strategic rationale behind pursuing attacks whose financial return may not be guaranteed?
ANUBIS: There is a mistake here. In our field — the ransomware field — many hackers have remained at the same level. They think you can break in and encrypt a network and then get good money, like five years ago. They simply stopped developing. There is no progress, and no one pays them. They know how to encrypt networks, but they don’t know how to work with data, with extracted information — and that is a whole art. Information has always been the most valuable commodity. People pay for it. Companies pay and will continue to pay. I think that RaaS will abandon encryption-based attacks in a few years and move to blackmail using stolen data. People will always pay for that. Only the variables change, not the essence itself.
RHC: What motivated you to target the Adriatic Port Authority (port of Ancona), and what were your primary objectives in this operation? Was the attack driven mainly by financial reasons, strategic visibility, or by specific characteristics you identified in the organization or its infrastructure?
ANUBIS: As I already said, we attack dozens of companies every day. This was one of them. We are motivated only by money. This is business. A business that brings enormous money. I can’t help but note that this is very interesting work that dictates your lifestyle. It’s not for everyone.
RHC: Can you share insights into the initial access vector used in the Adriatic Port Authority (port of Ancona) intrusion and the main security weaknesses you encountered during the operation? From your perspective, which defensive gaps were most critical in enabling lateral movement and data exfiltration?
ANUBIS: Access was obtained by exploiting a vulnerability in their corporate VPN. They hadn’t updated their hardware for so long that we even felt a bit sorry for them. As for lateral movement and privilege escalation — their protection was terribly weak, weak passwords — everything was very sad. I don’t know where they put the money allocated for their security. It wasn’t there.
RHC: Ports are widely considered critical infrastructure with a direct impact on national supply chains and public services. When selecting targets of this kind, do you take into account the potential systemic or societal impact of your operations, or is target selection purely opportunistic and economically driven?
ANUBIS: All our attacks are business. Yes, attacking critical infrastructure is bad. But is it good, in your opinion, not to care about cybersecurity at such important facilities and to give a system administrator the password Pa$$w0rd2024!? There are always two sides. In this incident, it’s not only our fault. I take a philosophical view of this. We always give our victims the opportunity to make a deal with us. They would have received decryption software, we would have deleted all the data we stole from them, provided an incident report, and even configured their defenses. But no — they didn’t care. They didn’t even try to negotiate. Their problem. When we attack, we always give a choice. We can be negotiated with. And if they had been attacked by terrorists? That would have been much worse. That’s why we will attack everyone indiscriminately and offer them a deal.
RHC: Your extortion model is widely known for the use of wiper capabilities. Among your victims, there are sectors that, under the current European cybersecurity regulatory framework, NIS2, are classified as essential, and therefore fall within a perimeter that directly affects public security, such as healthcare, public administration, and critical infrastructure.
ANUBIS: Oh, this is the biggest misconception. All journalists ask us this question about the wiper. Now I’m going to surprise you: we do not destroy data. Can you imagine that? And we never have. The wiper is a module designed to delete backups so that a company cannot restore from them. All other data we encrypt. If we deleted data instead of encrypting it, no one would pay us. That would be madness. Some stupid journalist, without understanding the subject or studying the issue, published this fake story about data destruction — and everyone picked it up. I’m ashamed of this kind of journalism. People need to be shown the truth. Independent analysis is needed. Primary sources must be studied.
RHC: Are there sectors for which the use of a wiper is always excluded?
ANUBIS: We do not use the wiper anywhere except for destroying backups. It is useless otherwise. We are not terrorists. We run a business.
RHC: Do you use data destruction as a warning or deterrent toward other organizations?
ANUBIS: No. We do not use the wiper to destroy data or intimidate. We almost never use it at all.
RHC: Have you ever activated that function even after a ransom payment was made?
ANUBIS: No, that’s not how it works. That’s nonsense.
RHC: Is the activation of the wiper a decision made by the affiliates conducting the attack, or is it coordinated with, or decided by, the core team?
ANUBIS: Anubis operates in a semi-closed format. We are a team and do not accept everyone. Affiliates have no ability to use the wiper.
RHC: Reading DragonForce’s evolution, it feels less like a technical innovation and more like an attempt to govern a market. In your opinion, is the “cartel” model really about scaling ransomware—or about deciding who gets access, who gets visibility, and who gets pushed out of the RaaS ecosystem?
ANUBIS: We do not follow competitors. My subjective opinion is that DragonForce is no different from other RaaS. It advertises itself in the darknet under the same general conditions. Behind the scenes, people say it is a rebranding or a spin-off of LockBit — I don’t know for sure. They make money on affiliates; their model is a sales model. Business. We, on the other hand, are a separate closed group. We are not interested in scale, and we don’t need people.
RHC: Many analysts argue that the “cartel” model is less about innovation and more about fear: fear of law enforcement, seizures, and arrests. Do you see the DragonForce cartel as a sign of strength or as a defensive reaction by groups that can no longer operate alone?
ANUBIS: I will not comment on things I don’t understand. We don’t care about competitors. We don’t have time for them.
RHC: DragonForce seems to compete more on infrastructure, reputation, and ecosystem control than on malware itself. Are we witnessing a shift from criminal groups to platforms with real “political” power in the ransomware underground?
ANUBIS: No comments.
RHC: Do cartel-style ransomware ecosystems inevitably push for escalation — more intimidation, data destruction, or irreversible damage — as a mechanism to stand out and maintain credibility?
ANUBIS: In my view, all of this is insignificant. The most important thing is to know how to work with data, to understand business, to understand risks. To know the pain points. Very few can do this. RaaS as encryption software is already degrading and dying, and will last another 2–3 years. After that, all the power will be with DLS, data analysis, and the ability to build reach through media. Ransoms will be paid for silence, not for decryption. Already, about half of all payments are for data.
RHC: The timeline of defacements and takedowns affecting Everest, RansomHub, and LockBit closely overlaps with DragonForce’s repositioning as a cartel. Do you believe this is coincidence, opportunism—or a deliberate strategy to destabilize rivals and accelerate affiliate migration?
ANUBIS: Some programs shut down — others are created. Regular hackers, pentesters, and access brokers move between them. Essentially, the same people work under different brands. The name changes, not the essence. I don’t know who stands behind DragonForce. To me, it’s just a regular RaaS like all the others. RansomHub, I think, simply made enough money and left. LockBit is a mistake of the industry. Once it was a strong player, now it only вызывает смех. In the CIS it is not respected, behind the scenes as well. It’s a relic of the past. A person who did low things and didn’t watch his words. In short — a rat. His business is in agony. He’s trying to make money off a brand that was once good. But those times are over.
RHC: Attacks on rival leak sites and affiliate panels don’t generate direct profit. From your perspective, does this confirm that the real battleground is no longer the victim—but trust, reputation, and control of the RaaS supply chain?
ANUBIS: Yes, that’s right. The most important thing is to earn the trust of the people you work with. The secret is simple: be yourself and be honest with your partners. Despite the fact that this is a criminal business, it must be conducted honestly.
RHC: Even without direct attribution, DragonForce appears consistently aligned with outcomes that weaken competitors. Do you see DragonForce more as an executor—or as an orchestrator that benefits from chaos without necessarily pulling the trigger?
ANUBIS: He does not show himself in terms of competition in any way. I think he’s just busy with his own business. I haven’t seen him interfere with anyone. I believe it’s right to mind your own business rather than wage war with competitors.
RHC: Considering declining ransom payments, stronger defenses, and increased law-enforcement pressure: Is the DragonForce cartel a sign of strength—or a symptom of a ransomware economy under stress, forced to consolidate to survive?
ANUBIS: It seems to me that you should interview DragonForce, not us. Too many questions that have nothing to do with us.
RHC: Historically, criminal cartels tend to collapse due to internal conflicts, mistrust, or external pressure. Do you think ransomware cartels like DragonForce are structurally stable—or inherently fragile and destined to fragment?
ANUBIS: Everything is individual and depends on approach and management. Everyone has their own goals and their own implementation.
RHC: If DragonForce disappeared tomorrow, would the cartel model collapse—or has the idea already won, regardless of the brand?
ANUBIS: When one disappears, all the workers — hackers, pentesters — go under another brand. Nothing changes.
RHC: Thank you very much for the interview. We conduct these conversations to help our readers understand that cybersecurity is a highly technical field, and that to win the fight against cybercrime, we need to be stronger than you—who are often, as is well known, one step ahead of everyone else. Is there anything you would like to say to our readers or to potential victims of your operations?
ANUBIS: We’re all different. Each of us has our own vision, our own purpose. But we all share this planet. Perhaps one day, when money stops ruling and politicians stop igniting wars, we will stop what we do. But that is not the world we live in. Yes, we understand that our actions are not virtuous. But like a virus, we force societies to build immunity — to strengthen their defenses. The same applies to corporations. This is the 21st century — the age of technology. And it’s time people accepted reality. If you neglect your cybersecurity, you may very well become the next target. Protect your infrastructure. And may peace and prosperity find you. Thank You.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
