Date: 2026-07-13
Source: Ransomware.live / Dark Web Leak Sites
Analyst: Security Arsenal Intel Team
Threat Actor Profile — ANUBIS
ANUBIS is an active ransomware operation currently leveraging a mix of newer and legacy vulnerabilities to breach perimeter defenses. While their internal structure remains fluid, they operate with a high degree of technical sophistication, specifically targeting remote access and management interfaces.
- Model: Operates as a Ransomware-as-a-Service (RaaS) or highly coordinated affiliate model, evidenced by the disparate nature of the CVEs utilized in recent campaigns.
- Ransom Demands: Estimates suggest demands range from $500k to $5M USD depending on victim revenue, with a strict double-extortion approach involving data exfiltration prior to encryption.
- Initial Access: Primarily focused on external-facing services. Current intelligence confirms active exploitation of VPN gateways (Check Point), remote management tools (ConnectWise ScreenConnect), and email infrastructure (Microsoft Exchange).
- Dwell Time: Short-to-medium dwell time (3–7 days), focusing on rapid credential dumping and lateral movement before detonation.
Current Campaign Analysis
Based on the July 12, 2026, postings to the ANUBIS dark web leak site, the gang has claimed three new victims:
- Casper Orthopedics (Healthcare)
- Surtifamiliar (Retail/Commercial)
- Community Advocates (Business Services)
Targeting Sectors
- Healthcare: The targeting of Casper Orthopedics suggests a willingness to disrupt critical care providers, likely banking on the high willingness to pay to restore patient data systems.
- Business Services & Retail: Surtifamiliar and Community Advocates indicate a broad scope, targeting entities with high volumes of PII and financial transaction data.
Geographic Concentration
The victimology spans "multiple countries," suggesting a lack of geo-restrictions and a global scan-and-exploit methodology.
Attack Vector Analysis (CVE Correlation)
The recent victims are highly likely compromised via the following actively exploited CISA KEV vulnerabilities:
- CVE-2026-50751 (Check Point Security Gateway): An improper authentication vulnerability in IKEv1. This allows attackers to bypass VPN authentication, gaining direct internal network access without valid credentials. This is a critical threat for organizations relying on Check Point for perimeter defense.
- CVE-2024-1708 (ConnectWise ScreenConnect): A path traversal vulnerability allowing remote code execution (RCE). This is a perennial favorite for ransomware gangs to gain initial access or persistence via IT management tools.
- CVE-2023-21529 (Microsoft Exchange Server): A deserialization vulnerability allowing authenticated attackers to execute code. This provides an entry point via email infrastructure, a common vector for Business Services targets.
- CVE-2026-48027 (Nx Console) & CVE-2026-20131 (Cisco FMC): These suggest supply chain or management plane attacks, allowing the gang to hijack administrative consoles.
Detection Engineering
The following detection rules and hunt queries are designed to identify the specific TTPs associated with the ANUBIS campaign, specifically focusing on the exploitation of ScreenConnect, Exchange, and lateral movement indicators.
SIGMA Rules
title: Potential ScreenConnect Path Traversal Exploit CVE-2024-1708
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects potential webshell activity or authentication bypass associated with ConnectWise ScreenConnect path traversal vulnerability.
status: experimental
date: 2026/07/13
author: Security Arsenal
logsource:
category: web
product: proxy
detection:
selection:
cs-uri-query|contains:
- 'App_Extensions'
- 'Services'
- 'bin'
cs-uri-query|contains:
- '.aspx'
- '.ashx'
sc-status: 200
filter:
cs-uri-query|contains:
- 'Login'
- 'Guest'
condition: selection and not filter
level: high
tags:
- attack.initial_access
- attack.t1190
- cve-2024-1708
- anubis
---
title: Suspicious Exchange PowerShell Deserialization Activity
id: e5f6g7h8-9012-34ij-klmn-567890123456
description: Detects suspicious PowerShell commands often used post-exploitation in Microsoft Exchange deserialization attacks.
status: experimental
date: 2026/07/13
author: Security Arsenal
logsource:
product: windows
service: security
detection:
selection_id:
EventID: 4688
selection_process:
NewProcessName|endswith: \powershell.exe
selection_cmdline:
CommandLine|contains:
- 'New-Object'
- 'System.Management.Automation.AmsiUtils'
- 'System.Reflection.Assembly'
- 'DownloadString'
CommandLine|contains:
- 'Exchange'
- 'IIS'
- 'HttpProxy'
condition: all of selection_*
level: high
tags:
- attack.execution
- attack.t1059.001
- cve-2023-21529
- anubis
---
title: Ransomware Lateral Movement via SMB and PsExec
id: m9n0o1p2-3456-78qr-stuv-901234567890
description: Detects lateral movement patterns consistent with ANUBIS propagation using PsExec or SMB administrative shares.
status: experimental
date: 2026/07/13
author: Security Arsenal
logsource:
product: windows
service: security
detection:
selection_smb:
EventID: 5140
ShareName|contains:
- 'ADMIN$'
- 'C$'
SubjectUserName|contains:
- 'ADMIN'
- 'svc'
selection_psexec:
EventID: 4688
NewProcessName|contains:
- '\psexec.exe'
- '\psexec64.exe'
- '\PAExec.exe'
CommandLine|contains: '\\'
condition: 1 of selection_*
level: high
tags:
- attack.lateral_movement
- attack.t1021.002
- anubis
KQL (Microsoft Sentinel)
// Hunt for potential lateral movement and data staging associated with Anubis
// Looks for rapid file modifications or mass copy operations across the network
SecurityEvent
| where EventID in (5140, 5145) // File share access
| project TimeGenerated, Computer, SubjectUserName, ShareName,IpAddress, AccessMask
| where SubjectUserName != "ANONYMOUS LOGON"
| summarize count() by IpAddress, SubjectUserName, bin(TimeGenerated, 5m)
| where count_ > 10 // Threshold for excessive share access
| join kind=inner (
SecurityEvent
| where EventID == 4624 // Logon Type 3 (Network) or 10 (RemoteInteractive)
| where LogonType in (3, 10)
| project TimeGenerated, Computer, TargetUserName, IpAddress
) on IpAddress
| project TimeGenerated, IpAddress, SubjectUserName, TargetUserName, Computer
| order by TimeGenerated desc
PowerShell Hardening Script
# ANUBIS Response Script: Check for RDP exposure, Scheduled Tasks, and VSS Tampering
# Requires Administrator Privileges
Write-Host "[+] Starting ANUBIS Hardening Check..." -ForegroundColor Cyan
# 1. Check for exposed RDP (Registry based check)
$RDPPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"
$fDenyTSConnections = (Get-ItemProperty -Path $RDPPath).fDenyTSConnections
if ($fDenyTSConnections -eq 0) {
Write-Host "[WARNING] RDP is ENABLED. Consider disabling if not required." -ForegroundColor Red
} else {
Write-Host "[OK] RDP is Disabled." -ForegroundColor Green
}
# 2. Enumerate Scheduled Tasks created in the last 7 days
$DateCutoff = (Get-Date).AddDays(-7)
Write-Host "\n[+] Checking Scheduled Tasks created/modified in the last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {
$_.Date -gt $DateCutoff -or
(Get-ScheduledTaskInfo $_).LastRunTime -gt $DateCutoff
} | ForEach-Object {
$TaskInfo = Get-ScheduledTaskInfo $_
Write-Host "Task Name: $($_.TaskName) | Author: $($_.Author) | Last Run: $($TaskInfo.LastRunTime)" -ForegroundColor Yellow
}
# 3. Check for recent Volume Shadow Copy (VSS) modifications or deletions
# VSS writers often fail or are targeted before encryption
Write-Host "\n[+] Checking VSS Writer State..." -ForegroundColor Cyan
try {
vssadmin list writers 2>&1 | Select-String "State" | ForEach-Object {
if ($_ -notlike "*[1-9] errors*" -and $_ -notlike "*State: [1-9]*") {
# A crude check, usually stable state is 1 (Stable) or 5 (Waiting for completion)
# We look for generic writer state output to ensure no critical failures
}
}
Write-Host "[OK] VSS Writers queried. Verify output manually for errors." -ForegroundColor Green
} catch {
Write-Host "[ERROR] Could not query VSS writers." -ForegroundColor Red
}
# Check for processes typical of ransomware staging (RClone, WinRAR, 7zip)
$StagingProcs = @("rclone.exe", "winrar.exe", "7z.exe", "powershell.exe")
Write-Host "\n[+] Checking for high-risk staging processes..." -ForegroundColor Cyan
Get-Process | Where-Object { $StagingProcs -contains $_.ProcessName } | Select-Object ProcessName, CPU, StartTime | Format-Table
Write-Host "\n[+] Script Complete." -ForegroundColor Cyan
---
Incident Response Priorities
T-minus Detection Checklist
- Check Point VPN Logs: Review logs for IKEv1 connection attempts originating from unusual geolocations or non-corporate IPs. Look for successful authentications where no corresponding MFA push was recorded.
- ScreenConnect Audit: immediately audit
ScreenConnectweb logs for the specific date ranges of July 10-13, 2026. Look for/App_Extensions/path traversal attempts in HTTP requests. - Exchange IIS Logs: Hunt for
POSTrequests toOABorEWSvirtual directories that result in 500 errors (indicative of exploit attempts) or 200 status codes from anomalous user agents.
Critical Assets for Exfiltration
- Healthcare: Patient PHI (EMR databases), MRI/DICOM imaging archives.
- Business Services: Financial records (QuickBooks/Accpac), Client HR databases, Legal contracts.
Containment Actions
- Immediately block inbound IKEv1 traffic on Check Point gateways and enforce strict IKEv2/IPSec only.
- Isolate any ScreenConnect servers from the network; require VPN connectivity to access the management console.
- Disable the
IISAppPool on Exchange servers if exploitation is suspected, pending patch verification.
Hardening Recommendations
Immediate (24 Hours)
- Patch CVE-2026-50751: Apply the Check Point hotfix immediately. Disable IKEv1 support if legacy clients do not require it.
- Patch CVE-2024-1708: Update ConnectWise ScreenConnect to the latest patched version. Restrict access to the management interface via Firewall policies (allowlist IPs only).
- Patch CVE-2023-21529: Apply the latest Exchange Security Updates (CU/SU).
Short-term (2 Weeks)
- Network Segmentation: Ensure IT management tools (ScreenConnect, RDP) reside on a dedicated management VLAN, strictly segregated from general user networks and the internet.
- MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) for all VPN and remote management access.
- Egress Filtering: Implement strict egress filtering to block known ransomware C2 domains and anomalous data transfer protocols (e.g., SSH, FTP) from endpoints.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.