Sinobi Ransomware

Sinobi Ransomware is a Windows-targeting ransomware-as-a-service (RaaS) operation that emerged in mid-2025. It is suspected to be a rebrand/successor or splinter of the Lynx ransomware group, with reported lineage ties to the INC Ransomware family; technical comparisons cited include BinDiff similarity of ~63.2% (Lynx vs Sinobi) and ~55.9% (INC Ransom vs Sinobi), consistent with shared tooling/source code rather than definitive operator identity.

Sinobi is described as operating a hybrid model with a closed set of trusted affiliates plus in-house operators, and it uses double extortion: theft/exfiltration of victim data with threats of publication on a Tor-based leak site, followed by file encryption. It primarily targets medium-to-large organizations, with victim sectors including manufacturing, healthcare, financial services, and education; most victims are reported in the United States, with additional activity in Canada, Australia, and the United Kingdom. One observed victim mentioned is Impressico Business Solutions (data posted on Sinobi’s dark web site).

Initial access has been observed via compromised remote access credentials (VPN gateways and RDP), phishing with malicious attachments/links, and exploitation of SonicWall-related vulnerabilities including CVE-2024-53704 (SonicWall SSL VPN authentication) and CVE-2024-40766 (improper access control). Reporting also notes deployments via compromised SonicWall SSL VPN credentials.

Post-compromise activity described includes creation of new local administrator accounts and adding accounts to Domain Admins, domain/share/privileged-account enumeration via scripts and living-off-the-land tooling, lateral movement to high-value systems (database, backup, and mail servers), and defense evasion including locating and using Carbon Black EDR uninstall credentials to remove the EDR. Data collection includes financial records, intellectual property, and customer data; exfiltration is reported using rclone to attacker-controlled infrastructure.

Encryption uses Curve25519 (Curve-25519 Donna referenced) for key exchange and AES-128-CTR for file encryption, with per-file keys generated via CryptGenRandom. The malware terminates processes associated with SQL servers, backup services, and Microsoft Exchange to unlock files, deletes Volume Shadow Copies (via DeviceIOControl resizing shadow storage to zero), clears the Recycle Bin (SHEmptyRecycleBinA), mounts hidden drives for encryption, and modifies HKCU\Control Panel\Desktop\Wallpaper to set a ransom wallpaper. Encrypted files are renamed with the .SINOBI extension, and a README.txt ransom note is dropped containing a victim identifier, Tor negotiation instructions, and a countdown timer often set to ~7 days; the note claims the operation is financially motivated and not politically motivated.