The Anubis ransomware operation has been identified exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to gain access to targeted environments. This trend, utilizing legitimate remote access tools for lateral movement, highlights the evolving tactics of ransomware groups and the urgent need for organizations to address vulnerabilities.
The Anubis ransomware group, rebranded from Sphinx ransomware, has been actively exploiting the Citrix Bleed 2 vulnerability since early 2025. Their operations were formally announced on the RAMP underground forum, and they have targeted a range of sectors including healthcare and finance.
CVE-2025-5777 is a critical vulnerability in Citrix NetScaler ADC and Gateway, with a CVSS score of 9.3. Attackers can exploit this flaw to bypass authentication during gateway configurations, leading to unauthorized access. Reports indicate that Anubis affiliates are using both this exploit and valid VPN credentials for their attacks.
Anubis affiliates are observed utilizing various legitimate remote management tools like ScreenConnect and Zoho Assist. This strategy allows them to blend their malicious activities with normal IT operations, making detection more challenging for security defenses.
Anubis offers affiliates an 80% profit share from ransom payments, enhancing its recruitment model for cybercriminals. Additionally, their deployment of the /WIPEMODE module, which zeroes files upon activation, increases pressure for victims to pay the ransom timely before irreversible data loss.
The activities of Anubis underline the critical importance of promptly addressing vulnerabilities in widely used software. With a high percentage of their victims based in the U.S. and significant healthcare and financial sectors affected, robust security measures are increasingly necessary to mitigate risks associated with ransomware operations.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
The Anubis ransomware operation has been identified exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to gain access to targeted environments. This trend, utilizing legitimate remote access tools for lateral movement, highlights the evolving tactics of ransomware groups and the urgent need for organizations to address vulnerabilities.