THREAT ACTOR

Sinobi

7.3
THREAT LEVEL
EMERGENCE DATE
Jun 2025
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Lynx ransomware (suspected rebrand/evolution), INC Ransomware source code lineage

DEscription

Emerging in late June 2025, Sinobi rapidly ascended among active global operations within two months through exceptionally fast operational growth. Operating through suspected RaaS infrastructure with nearly all victims in the United States, the group targets mid-market organizations with $10-50 million annual revenue across construction, manufacturing, and healthcare sectors. The operation draws on compromised SonicWall SSL VPN credentials through CVE-2024-53704 exploitation, combines Curve-25519 cryptography with AES-128-CTR encryption preventing file recovery, and runs Tor-based leak infrastructure across nine active hidden services operational through October 2025.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS)

Sinobi traces technical lineage through INC Ransomware from August 2023, whose source code was sold for $300,000 on underground forums in spring 2024 and subsequently acquired by Lynx operators in July 2024. Binary analysis reveals 70% function similarity between Lynx and INC implementations. Code overlaps, leak site infrastructure parallels, and operational methodologies suggest rebrand or evolution of Lynx, though both groups currently operate in parallel. The operation likely follows standard affiliate revenue share model with selective vetting through Russian-language forums.

Current Status: Active operations through October 11, 2025, with operational infrastructure maintained and victim postings continuing

Threat Level:
7.3

Origins and Methodology

Sinobi established significant operational presence within eight weeks through rapid execution focus rather than technical innovation. What sets the group apart is strategic mid-market targeting at the $10-50 million revenue sweet spot, balancing substantial ransom payment capability against weaker security postures compared to enterprise environments.

Drawing on multi-generational ransomware lineage through INC and Lynx predecessors, the operation inherited battle-tested cryptographic implementation that prevents file recovery, EDR evasion techniques including Carbon Black disabling, and comprehensive anti-recovery measures. Compromised managed service provider credentials with domain administrator rights bypass typical attack chain requirements, providing immediate network-wide access for rapid deployment.

What is the Evolution of Sinobi Ransomware?
0.1
Formation

First identified late June 2025 with Tor-based data leak sites mirroring Lynx infrastructure, suggesting preparation prior to public emergence. Initial targeting concentrated on United States financial sector before expanding to construction, manufacturing, and professional services by July 2025. Immediate operational competence indicates experienced affiliate recruitment or continuation of Lynx operations under new identity.

0.2
EVOLUTION

Initial months saw explosive growth with over 10% of ransomware cases during July 2025. August 2025 marked peak activity with operations behind Qilin and Akira. Technical capabilities remained consistent, inheriting Curve-25519 + AES-128-CTR from predecessor groups.

Late August 2025 brought operational tempo reduction with fewer victim claims through early September. Current operations since September 2025 maintain reduced but sustained activity with infrastructure continuously operational.

0.3
Lineage/Connections

The operation traces back through INC Ransomware from August 2023, whose source code was sold by Russian-speaking actor "salfetka" on underground forums for $300,000 during spring 2024, limited to three buyers. Lynx Ransomware emerged in July 2024 after purchasing this code, with binary analysis showing 70% function similarity and about half overall code similarity to INC.

Current operations show code overlaps and infrastructure parallels connecting to Lynx, though both groups claim victims in parallel. This suggests complex relationships potentially involving affiliate networks, shared tooling, or operational spinoffs rather than simple rebranding.

Which Unique Techniques Does Sinobi Use?

Multi-stage attacks draw on compromised VPN and RMM platforms for initial access, followed by reconnaissance, privilege escalation, and data exfiltration before ransomware deployment.

TECHNIQUE

DETAILS

Infection Vectors

Compromised SonicWall SSL VPN credentials exploiting CVE-2024-53704 authentication bypass, allowing session hijacking without credentials. Managed service provider accounts provide domain administrator rights and direct RDP access. AnyDesk and RMM platforms abused for persistent access.

Target Selection

Mid-market United States organizations with $10-50 million annual revenue. Construction (project deadline pressure), manufacturing (operational dependencies), and healthcare (life-safety considerations) as primary sectors. Nearly all victims concentrated domestically with minimal international expansion.

Operational Complexity

Multi-threaded encryption with Windows I/O completion ports, Curve-25519 + AES-128-CTR implementation preventing recovery, EDR evasion including Carbon Black disabling, volume shadow copy elimination, double extortion with average 500GB data theft per incident.

Key Features & Technical Details

Technical architecture builds on proven ransomware methodologies from multi-generational lineage, prioritizing operational reliability. Military-grade cryptographic algorithms with proper key management prevent file recovery, while multi-threaded execution optimizes encryption speed.

FEATURE

DETAILS

Encryption Method

Curve-25519 elliptic curve cryptography combined with AES-128-CTR mode, unique cryptographically secure keys per file using CryptGenRandom API. Key clamping and SHA-512 hashing render recovery impossible without attacker's private key.

File Extension

.SINOBI appended to encrypted files with footer containing magic string, victim's public key bytes, chunking size, encryption completion boolean.

Ransom Note

README.txt in each directory emphasizing financially motivated operations, seven-day contact deadline, warnings against third-party tools. Desktop wallpaper programmatically modified.

Double Extortion

RClone cloud utility targeting ASN 215540 infrastructure, average 500GB per incident posted to Tor-based leak sites with countdown timers.

Communication Channels

Nine active Tor hidden services running nginx 1.27.5, victim negotiation portals with unique IDs. No persistent C2 IPs, anonymized communications resistant to takedowns.

Deployment Speed

Multi-threaded architecture with thread count equal to processors × 4, rapid enterprise-wide encryption within hours following reconnaissance phase.

Payment Method

Bitcoin via Tor portals, estimated demands $200,000-$350,000 minimum to $2 million-$5 million maximum based on victim revenue.

Operational Model

Suspected RaaS with closed affiliate recruitment through Russian-language forums, standard affiliate revenue share model with core operator retention.

Activities

Operations showed rapid growth within two months, with significant operational presence established quickly. July 2025 marked initial expansion with over 10% of observed cases. August 2025 brought peak activity with over half of quarterly operations concentrated in this period, positioning behind Qilin and Akira. September saw tempo reduction with clustering patterns including single-day spikes, though operations through October 2025 maintain active status with continued postings.

Primary targeting shows 92% concentration in United States operations with California experiencing highest state-level activity.

Which Industries Are Most Vulnerable to Sinobi?

Manufacturing bears highest sector risk at more than double the second-highest sector, followed by construction as secondary priority. Organizations in $10-50 million revenue range targeted across professional services, financial services, retail, business services, and healthcare sectors.

HAL Most Recent Attacks

Modus Operandi

Multi-stage architecture drawing on compromised remote access platforms for entry, followed by reconnaissance, credential harvesting, lateral movement, and data exfiltration before ransomware deployment.

Details

SonicWall SSL VPN compromise through CVE-2024-53704 authentication bypass via improper session cookie handling (T1133). Managed service provider accounts with domain administrator rights. Public-facing application exploitation (T1190) targeting VPN and remote management platforms. AnyDesk deployment for persistent access.

Details

LDAP and Active Directory queries for domain controllers, administrators, privileged groups (T1087). System service enumeration, registry queries (T1082), network discovery (T1016). USB enumeration for propagation (T1120), domain trust mapping (T1482).

Details

AnyDesk deployment on non-standard systems. RMM platform abuse through compromised MSP credentials providing legitimate remote channels. RDP sessions using harvested credentials.

Details

Carbon Black EDR disabling through service modification and binary path manipulation (T1562.001). Low-level volume manipulation (T1006), software packing (T1027.002), execution from unusual directories (T1036.005), DLL injection (T1055.001).

Details

LSASS memory dumping through ProcDump (T1003). Windows Credential Manager harvesting (T1555), unsecured credentials in files and scripts (T1552.001).

Details

Tor infrastructure with nine hidden services (T1090). Legitimate protocol usage including HTTPS and SMB (T1071). No persistent IPs, communications resistant to takedowns.

Details

RDP with compromised credentials (T1021.001). SMB protocol exploitation (T1021.002), DCOM (T1021.003), WMI commands for distributed deployment (T1047).

Details

RClone cloud utility targeting ASN 215540 infrastructure (T1048). Data compression and staging (T1560.001), cloud storage services (T1567).

Details

Domain administrator account creation (T1136), Windows service manipulation (T1543.003), registry modification for desktop wallpaper.

Details

Operational disruption averaging 2-4 weeks downtime, data breach exposure including financial records, intellectual property, customer data, HR files. Recovery complexity from shadow copy deletion, backup tampering. Reputational damage through leak postings, regulatory exposure including HIPAA.

Details

Multi-threaded deployment with Curve-25519 + AES-128-CTR (T1486). Desktop wallpaper modification, process termination targeting backups, databases (SQL, Oracle, MySQL), email, business applications (T1489).

Details

Seven-day contact deadline, warnings against third-party tools, reboot risks. Desktop wallpaper psychological pressure. Double extortion with leak postings including details, volume claims, sample documents, countdown timers. Unique victim IDs for Tor portal access.

Details

Volume shadow copy deletion via DeviceIOControl resizing to zero (T1490). Recycle Bin emptying, EDR uninstallation, credential artifact removal.

Indicators of Compromise (IOCs)

Key indicators span file systems, network infrastructure, and behavioral patterns allowing detection and response.

INDICATOR

DETAILS

File Hashes

SHA256: 1b2a1e41a7f65b8d9008aa631f113cef36577e912c13f223ba8834bbefa4bd14 (primary payload)
SHA1: 3ebf5f01ac8ca704f4ab9e12acd11139f3ff838f
SHA1: 2101541061fb52b178165e7ef22244ec42601aea
SHA1: 3055b209cfdd3bd297029ef4270b77b50f76dc03
SHA1: 86233a285363c2a6863bf642deab7e20f062b8eb

IP Addresses

No persistent C2 IPs, Tor-only infrastructure

Domains/URLs

sinobi6ftrg27d6g4sjdt65malds6cfptlnjyw52rskakqjda6uvb7yd.onion
sinobi6rlec6f2bgn6rd72xo7hvds4a5ajiu2if4oub2sut7fg3gomqd.onion
Seven additional domains
ASN 215540 (Global Connectivity Solutions LLP, exfiltration)

File Paths

c:\programdata\rclone-ssh.conf
%TEMP%\background-image.jpg
README.txt
HKCU\Control Panel\Desktop\Wallpaper

File Extensions

.SINOBI with footer containing magic string, public key bytes, chunking size, completion boolean

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

SonicWall SonicOS SSL VPN Session Hijacking

CVE-2024-53704

9.8

Authentication bypass allowing remote session hijacking without credentials through improper base64-encoded cookie handling. Affects SonicWall TZ, NSa, NSsp series and NSv virtual firewalls running SonicOS 7.1.x (7.1.1-7058 and older), 7.1.2-7019, 8.0.0-8035. Added to CISA KEV catalog February 18, 2025.

Vulnerability Name TBD

CVE-2024-40762

Score TBD

Secondary exploitation vector requiring validation.

Additional Attack Vectors: VPN credential brute-forcing with MFA fatigue, RMM platform abuse through MSP compromise, AnyDesk for persistent access, third-party remote access appliance exploitation.