Anubis RaaS Stole 2TB from Brockton Hospital — Chemo Canceled, ER on Divert

Anubis affiliates gain initial access through two primary vectors: spear-phishing emails carrying malicious attachments or links targeting hospital staff, and exploitation of exposed Remote Desktop Protocol services — a persistent vulnerability across healthcare IT environments where legacy clinical systems often require persistent RDP access for maintenance.

Once inside, Anubis affiliates escalate privileges using access token manipulation (MITRE ATT&CK T1134.002), impersonating high-privilege accounts to move laterally through clinical and administrative network segments. Discovery tooling maps the environment for the highest-value data stores — EHR databases, billing systems, patient records archives. Exfiltration precedes payload deployment; in the Signature Healthcare case, 2TB was removed before any encryption or disruption activity.

The ransomware payload is invoked via command-line with parameters including /KEY= (initiates ECIES encryption), /elevated (forces administrative execution), /PATH= or /PFAD= (targets specific directories), and optionally /WIPEMODE (activates irreversible file overwrite). The command vssadmin delete shadows /for=norealvolume /all /quiet eliminates Volume Shadow Copies, blocking native recovery. Broad service termination targets backup utilities, database engines, security software, and productivity tools before encryption begins.

In the Brockton case, Anubis affiliates opted for the data-theft-only model — no encryption was deployed against clinical systems. This approach is increasingly common: it achieves the same extortion outcome without triggering the operational chaos that full encryption causes, which paradoxically increases media attention and law enforcement pressure on the operators.

Anubis claimed to have exfiltrated more than 2 terabytes of what it described as 'critical' and 'sensitive' patient information. At scale, 2TB of structured healthcare data can contain hundreds of thousands of complete patient records: names, dates of birth, Social Security numbers, insurance identifiers, medication histories, diagnostic records, and billing information.

Signature Healthcare operates Brockton Hospital, New England's fourth-largest hospital by bed count, and a network of clinics serving southeastern Massachusetts. The organisation employs over 2,400 staff and handles tens of thousands of patient interactions annually. The patient population is disproportionately low-income and uninsured — a demographic with limited capacity to monitor and respond to identity theft downstream of a data breach.

For patients, the immediate risks are identity theft and healthcare fraud — the use of stolen insurance identifiers to file fraudulent claims or obtain controlled substances. Medical identity theft is particularly damaging because it can corrupt a patient's health record with false diagnoses and medications, creating dangerous situations in future emergency care.

Signature Healthcare has not confirmed the data contents or notified affected patients as of April 18, 2026. Under HIPAA's Breach Notification Rule, organisations have 60 days from discovery to notify affected individuals. The clock started on April 6.

Anubis is believed to be a direct rebrand of the Sphinx ransomware operation — code-level analysis by multiple threat intelligence firms shows near-identical functionality between late Sphinx samples and early Anubis builds, indicating a rebrand rather than a fork or independent development.

The group's operational profile bears the hallmarks of Russian-speaking RaaS operators: targeting patterns consistently exclude former Soviet states, recruitment occurs on Russian-language cybercrime forums, and operational timing aligns with Eastern European business hours. Six-plus months of victim listings show a clear preference for healthcare organisations in North America — a sector with high-value regulated data, chronic underinvestment in security tooling, and strong financial and regulatory pressure to pay ransoms quickly to restore patient care.

Anubis's wiper capability sets it apart from every other major RaaS group active in April 2026. Most ransomware groups threaten data destruction as a negotiating lever but lack a reliable mechanism to execute it. Anubis has built the capability into the payload itself — the /WIPEMODE parameter triggers irreversible file overwrite during the same execution that handles encryption. This means a single affiliate deployment can pivot from a recoverable encryption event to a permanent destruction event at the operator's discretion, without redeploying any tooling.

As the [Qilin BYOVD EDR-silencing campaign](/blog/qilin-byovd-edr-silencing) demonstrated in early 2026, modern RaaS groups are investing in capabilities specifically designed to defeat the defenses hospitals have deployed since the Change Healthcare attack in 2024.

Early detection of Anubis activity is possible if security teams are hunting for the right signals. The most actionable detection opportunity is the pre-deployment phase: the interval between initial access and payload execution where affiliates are conducting discovery and staging exfiltration.

Hunting priorities: anomalous RDP authentication events (particularly off-hours logons from external IPs or internal lateral movement over RDP); bulk file access or staging activity on file servers containing patient records; large outbound data transfers to non-standard destinations; and process execution of vssadmin with shadow copy deletion arguments. Any process invoking command-line parameters containing /KEY=, /elevated, /WIPEMODE, /PATH=, or /PFAD= should trigger an immediate alert and investigation.

Post-deployment indicators include files with the .anubis extension across multiple directories, zero-byte files (wipe mode artifact), and ransom note files in affected directories. Service termination events affecting backup agents, database services, and security software in rapid succession are a strong indicator of ransomware deployment in progress.

Organisations that experienced the GoAnywhere-Clop supply chain attacks in 2023 (detailed in the [CVE-2023-0669 analysis](/blog/cve-2023-0669-goanywhere-mft-rce-clop-ransomware)) will recognise the exfiltration-first model — Anubis is executing the same playbook against healthcare infrastructure.

Healthcare organisations face a specific defensive challenge against Anubis: the group's data-theft-only model means encryption-centric defenses — immutable backups, snapshot recovery — provide no protection against the primary extortion mechanism. The backup is irrelevant if the 2TB of patient data is already on Anubis's exfiltration infrastructure. The defensive priority must shift upstream to preventing exfiltration in the first place.

Of Anubis's 70+ confirmed victims, healthcare organisations appear most frequently — a deliberate targeting decision, not opportunism. Healthcare organisations hold three attributes that make them uniquely profitable for data-extortion operations.

First, patient data has the highest per-record value of any data class on dark web markets. A complete healthcare record — containing insurance identifiers, diagnostic history, medication records, and billing data — sells for $250–$1,000 per record versus $5–$25 for a financial record. 2TB of structured patient data represents potential secondary market value in the tens of millions of dollars, independent of any ransom payment.

Second, healthcare organisations face patient safety obligations that create maximum urgency to resolve incidents. A hospital cannot tolerate weeks of downtime. Every hour that EHR systems remain offline is an hour that clinical staff are operating with reduced situational awareness — a fact Anubis operators explicitly leverage in ransom negotiations.

Third, healthcare is subject to HIPAA's mandatory breach notification requirements. Even if an organisation believes it can absorb the operational disruption without paying, the regulatory clock — 60 days to individual notification, potential OCR investigation, fines of up to $1.9 million per violation category — creates a separate financial pressure that ransom operators factor into their demands. Anubis's removal of Signature Healthcare from its leak site suggests the negotiation is alive. The ransom is almost certainly less than the breach notification and regulatory exposure.

The Anubis ransomware attack on Signature Healthcare is a template for the 2026 healthcare extortion playbook: no encryption, no operational chaos, just 2TB of patient records on a dark web portal and a countdown clock. Backup resilience is irrelevant when the threat is publication. The fact that Anubis removed Signature Healthcare from its leak site means a negotiation is underway — not that the threat has passed. Patients of Brockton Hospital should assume their data is in the hands of a Russian-speaking criminal operation and act accordingly. For every healthcare security team reading this: your priority today is not your backup recovery time objective — it is your ability to detect and stop a 2TB exfiltration before it completes. Run a tabletop on that scenario this week.