Anubis, Citrix Bleed 2 and EDR Killers: The 2026 Ransomware Resilience Playbook for Mid-Market Companies

On 2 July 2026, The Hacker News reported that affiliates of the Anubis ransomware-as-a-service operation are exploiting Citrix Bleed 2 (CVE-2025-5777, CVSS 9.3) to bypass authentication at the network edge, per Arctic Wolf research. Ransomware.Live data cited in the same coverage counts 91 total Anubis victims — 11 in June 2026 alone — with more than half in the United States. Kaspersky and Expel separately documented "The Gentlemen" RaaS killing EDR from Microsoft, ESET, Palo Alto Networks and SentinelOne via a BYOVD zero-day in the Kontron ktapi.sys driver; Sophos analysed the VECT/TeamPCP supply-chain-plus-ransomware partnership; and an FBI flash alert on 2 July 2026 warned organisations to treat exfiltrated credentials as a persistent long-term risk. Every prevention layer buyers rely on has a demonstrated bypass in this wave — MFA at the edge, EDR at the endpoint, backups under wiper pressure, credentials in the supply chain. The six-part resilience playbook is inside.

CALL IT DEV — Software, AI and dedicated tech teams — Casablanca | Madrid | Dubai

Anubis, Citrix Bleed 2 and EDR Killers: The 2026 Ransomware Resilience Playbook for Mid-Market Companies

What The Hacker News, Arctic Wolf, Kaspersky, Expel, Sophos and the FBI reported the week of 2 July 2026

On **2 July 2026**, *The Hacker News* published an attributed round-up of what it and the underlying primary researchers describe as the most operationally significant ransomware wave of the year to date. The reporting draws on **Arctic Wolf** telemetry on the **Anubis** ransomware-as-a-service (RaaS) operation, **Rubrik Zero Labs** analysis of Anubis's destructive **/WIPEMODE** payload published in July 2025, **Kaspersky** and **Expel** research on a separate RaaS branded **"The Gentlemen"**, **Sophos** analysis of the **VECT/TeamPCP** partnership announced in March 2026, and an **FBI flash alert dated 2 July 2026**. Nothing below is invented; every claim in this article is attributed to the primary source that stated it.

The Anubis reporting is the anchor. Per Arctic Wolf, Anubis affiliates are exploiting **CVE-2025-5777**, the vulnerability publicly branded **"Citrix Bleed 2,"** which affects **Citrix NetScaler ADC and NetScaler Gateway** appliances and carries a **CVSS score of 9.3**. The class is authentication bypass at the network edge: an unauthenticated attacker can reach protected sessions without going through the identity provider or through any of the multi-factor authentication controls that sit behind it. **Ransomware.Live** data cited by *The Hacker News* counts **91 Anubis victims claimed to date**, with **11 in June 2026 alone**. The geographic distribution is over **50% United States**, followed by the **United Kingdom, Australia, France and Canada**. The sector distribution is **healthcare, business services, manufacturing, technology and financial services** — a spread that essentially rules out "we're too small a target" as a mid-market defensive posture.

Arctic Wolf's technical description of Anubis affiliate tradecraft is what makes the wave operationally different from earlier RaaS families. Post-access, affiliates abuse **legitimate remote monitoring and management (RMM) tools** — Arctic Wolf specifically names **ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC and Total Software Deployment** — to establish persistent, seemingly-legitimate remote sessions. They set up **Cloudflare Tunnel** infrastructure for long-lived, outbound-only persistence that is trivial to miss in default egress rules. They **exfiltrate data via rclone, WinSCP and S3 Browser**, all of which are routinely used by legitimate administrators. They **disable Windows Defender** and **clear Windows event logs** before detonation. Every one of these tools is a signed, allow-listed, business-legitimate binary in most estates. That is the point: the affiliates are not smuggling in bespoke malware for the detection layer to catch — they are pushing the operation into the space where "unknown malicious tool" alarms are structurally silent.

**Rubrik Zero Labs**'s July 2025 analysis of Anubis's destructive payload adds a specific pressure on the backup layer. The Anubis executable ships with a **/WIPEMODE** flag; per Rubrik, executing with this flag **reduces targeted files to 0 KB regardless of whether the ransom is paid**. The extortion economics are also public: **Anubis affiliates keep 80% of paid ransoms**, per the same reporting. The combination — a working wiper mode plus an affiliate model that pays affiliates most of the take — is precisely the combination that makes "we'll just refuse to pay and restore from backups" a fragile assumption unless the backups themselves have been engineered against wiper scenarios.

The same *Hacker News* article carries a separate, parallel disclosure. **Kaspersky** and **Expel** document a RaaS branded **"The Gentlemen"** that combines a **Go-language backdoor** with a **BYOVD (Bring Your Own Vulnerable Driver)** zero-day in the **Kontron ktapi.sys** driver. The BYOVD technique loads a legitimately-signed but vulnerable kernel driver and uses it to gain kernel-level primitives — including the ability to terminate protected user-mode processes. Kaspersky and Expel report that "The Gentlemen" uses this specific primitive to **kill EDR processes from Microsoft, ESET, Palo Alto Networks and SentinelOne**. Expel researcher **Marcus Hutchins** is quoted in the coverage saying that *"BYOVD lets attackers disable state-of-the-art endpoint security in seconds, even on fully patched Windows."* That quote is Expel's, not ours; we cite it because it captures the correct threat-model update for a mid-market CISO.

**Sophos**'s analysis of the **VECT/TeamPCP** partnership — announced in March 2026 by the two operations themselves — describes a division of labour in which VECT contributes **supply-chain credential-theft capability**, including the recently-documented attacks on the **Trivy** and **LiteLLM** package ecosystems, and TeamPCP contributes the **ransomware deployment capability** downstream. The FBI's **flash alert of 2 July 2026** referenced in the same coverage warns organisations to **treat exfiltrated credentials as a persistent, long-term risk** — the point being that a supply-chain credential theft in one quarter can drive a ransomware detonation in a later quarter, with no adjacent-in-time signal to link the two events for the victim.

Why every prevention layer buyers rely on has a demonstrated bypass in this wave

The reason to open this piece with the primary sources is that, taken together, they describe a wave in which **every single prevention layer a mid-market buyer typically relies on has a demonstrated bypass** already in use in the field.

**Multi-factor authentication** is bypassed. Not because the MFA implementation is weak, but because Citrix Bleed 2 (CVE-2025-5777) executes at the edge appliance, **before the identity flow**. The identity provider and the MFA control never see the request.

**EDR** is bypassed. Not because the EDR product is weak, but because the BYOVD chain reported by Kaspersky and Expel operates from the **kernel**, above the EDR agent's protection domain, using a legitimately signed vulnerable driver.

**Backups** are pressured. Not because backup products are weak, but because Anubis's **/WIPEMODE** flag, per Rubrik Zero Labs, **destroys files to 0 KB whether or not the ransom is paid**, and the affiliate incentive is to detonate wide.

**Credentials** are compromised upstream. Per Sophos and the FBI, credentials stolen via the **VECT / Trivy / LiteLLM** supply-chain chain persist as a long-term risk **regardless of what the victim organisation itself did** — the victim's password policy, MFA rollout and phishing training are all upstream of the compromise event.

The correct read for a mid-market CISO is that **prevention alone is no longer a viable stance** for this class of attack, and the historical implicit contract with prevention vendors — "buy the product, close the risk" — has been rewritten by the primary research above. Resilience becomes the target metric, not prevention.

The 2026 ransomware resilience playbook: six controls

The playbook below is framed as six controls that map directly to the four bypassed layers above, plus two operational controls that make the difference between "incident" and "material incident" in a wave with the described characteristics. It is designed to be implementable by an in-house security team or contracted to a managed provider; either way, the six items are auditable and can be turned into contract clauses.

1. Edge-appliance inventory and a patch SLA measured in days

Citrix Bleed 2 is a specific instance of a general pattern: **network-edge appliances** — VPN concentrators, load balancers, application-delivery controllers, remote-access gateways — are the most-attacked surface of 2025-2026 because they sit in front of identity and MFA controls. The prerequisite control is an **exhaustive inventory** of every edge appliance in the estate, tagged with vendor, version, exposed CVE state, and business owner. The SLA for patching against a **CISA Known Exploited Vulnerabilities (KEV) entry or a CVSS 9+ appliance advisory** should be measured in **days, not weeks**. Anything longer is a gap that the current wave will find.

2. Immutable and offline backups, explicitly tested against wiper scenarios

Rubrik Zero Labs' documentation of Anubis /WIPEMODE means the correct backup posture is **immutable** (write-once, cannot be modified or deleted by any credential in the domain), **offline** or logically-isolated (not reachable from a compromised production identity plane) and **explicitly tested against wiper scenarios** — not only "can we restore" but "can we restore in the scenario where the production files are 0 KB and the payment path is closed by policy." Tabletop exercises should include a scenario in which the ransom is not payable, either by policy or by sanctions posture; the backup restoration path must be viable in that scenario.

3. Behavioural detection of legitimate-tool abuse — RMM allowlist by policy

Arctic Wolf's list of RMM tools abused by Anubis affiliates — ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, Total Software Deployment — is not a blocklist to be added to the EDR. It is the case for a **positive-control policy** on remote-administration tools: which specific RMM tools are contractually authorised in the estate, and on which specific hosts. Every RMM tool observed on any host that is not on that list should raise an alert regardless of whether the binary is signed and reputationally clean. This is the specific control that inverts the affiliate advantage of "the tool is legitimate, so the alarm is silent."

4. Egress monitoring and unauthorised-tunnel detection

Cloudflare Tunnel is a legitimate service and a legitimate persistence primitive for attackers. The generalisation is that any **outbound-only, long-lived tunnelling infrastructure** — Cloudflare Tunnel, ngrok, Tailscale relays, custom SSH reverse tunnels — is a class of persistence that traditional inbound-oriented firewall rules ignore by construction. The control is **egress inspection and tunnel-establishment alerting**, with an authorised-tunnels registry and an alert on anything outside it. The equivalent for exfiltration paths (rclone, WinSCP, S3 Browser named by Arctic Wolf) is a policy-level egress data-loss control on customer and workforce endpoints, not only on servers.

5. Credential rotation triggered by upstream supply-chain exposure

The FBI flash alert of 2 July 2026 and Sophos's VECT/TeamPCP analysis describe a specific operational pattern: **credentials stolen upstream** (in a compromised package, a compromised CI system, a compromised third-party service) **persist** and are used weeks or months later by an unrelated ransomware operator. The correct control is a **rotation policy triggered by upstream supply-chain exposure events**, not by internal-only signals. When a package ecosystem the organisation depends on (Trivy, LiteLLM and the wider Python/JavaScript supply chain named in the reporting) publishes a credential-exposure event, rotation of tokens, service-account secrets and privileged-user credentials that could have been in that scope should be automatic, not discretionary.

6. 24/7 managed detection and response with human responders

The final control is the operational one. The wave the primary sources describe **compresses the disclosure-to-exploitation window to hours**, uses **legitimate tooling** that raises no static alarms, and executes destructive actions (wiper mode, log clearing, Defender disablement) that leave a narrow **live window** in which a responder can act. The mid-market economics of staffing a 24/7 security operations centre in-house — three shifts, on-call rotation, senior escalation bench, tooling licences — are prohibitive for most organisations below the Fortune 1000 line. **Managed detection and response (MDR)** with contracted 24/7 human responders is the pragmatic answer for the mid-market; the important qualifier is *human responders*, because the specific controls above (RMM allowlist enforcement, tunnel alerting, credential-rotation triggering) require judgement, not only pattern matching.

Where Call IT Dev fits: managed cybersecurity and 24/7 technical support from Morocco

Call IT Dev delivers the operational controls above from a nearshore Morocco footprint. The relevant capabilities are: a **managed SOC with 24/7 human coverage**, **technical support and helpdesk operations** in **29 languages**, **edge-appliance patching operations** as a managed service, and **incident-response retainer** engagements sized to the mid-market. The delivery footprint is **Casablanca, Rabat and Kenitra**, with delivery cover from **Madrid and Dubai**, and the labour-cost basis is materially below Southern European benchmarks while remaining in the CET-adjacent time zone that European buyers actually operate in.

The offer is not "we replace Arctic Wolf, Kaspersky, Expel, Sophos or your incumbent EDR." It is: we **stand up and operate the six controls above as a managed service**, plug into the incumbent tooling stack, and staff the human-in-the-loop layer that the current wave specifically targets. The relevant service pages are **[managed cybersecurity services](/en/services/cybersecurity)**, **[24/7 technical support](/en/services/technical-support)**, and **[cloud and infrastructure services](/en/services/cloud-infrastructure)**; the buyer read on Morocco as a nearshore delivery geography is on the **[why Morocco page](/en/why-morocco)**.

Further reading

For the **procurement-side** analysis of the parallel 2026 shift in voice-AI CX operations — how to choose a deployment partner now that vendors are contracted separately from operators — see our companion piece, **[Voice AI Is Done Piloting: How to Choose a CX Deployment Partner in 2026](/en/blog/voice-ai-deployment-partner-cx-outsourcing-buyer-guide-2026)**.

${CTA_ANUBIS}

Frequently Asked Questions

What is Citrix Bleed 2 (CVE-2025-5777) and why does it matter?

Citrix Bleed 2 is the public name for CVE-2025-5777, an authentication-bypass vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances with a CVSS score of 9.3. Per Arctic Wolf research cited by The Hacker News on 2 July 2026, affiliates of the Anubis ransomware-as-a-service operation are actively exploiting it. It matters because the flaw executes at the network-edge appliance, before the identity provider and before any MFA control — so the entire MFA layer that most mid-market organisations rely on for remote-access assurance is structurally bypassed on unpatched appliances.

Why is MFA not enough against the current ransomware wave?

Because in the wave described by Arctic Wolf, Kaspersky, Expel and Sophos in the reporting of 2 July 2026, the attackers do not attempt to defeat MFA — they operate above or below it. Citrix Bleed 2 executes at the edge appliance, so the identity flow and its MFA step never run. BYOVD EDR-killers operate from the kernel, above the endpoint agent that MFA-strong sign-in would land on. Supply-chain credential theft (VECT/TeamPCP, Trivy, LiteLLM per Sophos) occurs upstream of the victim organisation entirely. MFA remains necessary, but is no longer sufficient; resilience becomes the correct target metric rather than prevention.

What is BYOVD and why does it kill EDR?

BYOVD stands for Bring Your Own Vulnerable Driver. The attacker loads a legitimately-signed but vulnerable Windows kernel driver — in the current wave, Kaspersky and Expel identify a zero-day in the Kontron ktapi.sys driver used by "The Gentlemen" ransomware-as-a-service — and uses the vulnerable driver to gain kernel-level primitives. Kernel-level primitives allow termination of protected user-mode processes, including EDR agents from Microsoft, ESET, Palo Alto Networks and SentinelOne as reported. Expel researcher Marcus Hutchins is quoted saying "BYOVD lets attackers disable state-of-the-art endpoint security in seconds, even on fully patched Windows." The class was known; the current wave uses it operationally.

What is wiper-mode ransomware and how does it change the backup calculation?

Per Rubrik Zero Labs analysis published in July 2025 and cited in The Hacker News reporting, the Anubis ransomware executable ships with a /WIPEMODE flag that reduces targeted files to 0 KB regardless of whether the ransom is paid. Affiliates keep 80% of paid ransoms per the same reporting, which aligns incentives toward wide detonation. The backup calculation changes because "refuse to pay and restore" is only viable if backups are immutable, offline or logically-isolated, and explicitly tested against a scenario in which production files are 0 KB. Backups reachable from a compromised domain identity are not sufficient.

How fast should edge appliances be patched?

The pragmatic 2026 SLA for edge-appliance patching against a CISA KEV entry or a CVSS 9+ vendor advisory is measured in days, not weeks. Citrix Bleed 2 (CVE-2025-5777) is a specific instance of the general pattern that network-edge appliances — VPN concentrators, load balancers, application-delivery controllers, remote-access gateways — sit in front of identity and MFA controls and therefore behave as authentication-bypass surfaces when unpatched. Anything longer than a days-measured SLA is a gap that Ransomware.Live data cited by The Hacker News shows the current wave is finding: 91 Anubis victims total, 11 in June 2026 alone.

What does managed detection and response (MDR) cover in the context of this wave?

MDR in the context of the wave described covers the operational controls that require human judgement rather than static pattern matching: an RMM tool allowlist enforcement (Arctic Wolf specifically names ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC and Total Software Deployment abused by Anubis affiliates), unauthorised-tunnel detection (Cloudflare Tunnel persistence, and by extension ngrok, Tailscale relays and reverse SSH), egress inspection for exfiltration tooling (rclone, WinSCP, S3 Browser), credential-rotation triggering on upstream supply-chain exposure events, and 24/7 human-responder coverage during the narrow live window that wiper-capable ransomware leaves. Software-only MDR is insufficient; the "human responder" qualifier is load-bearing.

CALL IT DEV — Software, AI and dedicated tech teams — Casablanca | Madrid | Dubai — contact@callitdev.com — +212-537-373777