Threat Research

Sinobi: Rebrand of the Lynx Ransomware Gang

CTI
Sinobi: Rebrand of the Lynx Ransomware Gang

Sinobi is a rebrand of the Lynx ransomware gang, leveraging mature RaaS operations, double-extortion, and advanced capabilities from day one. The group has claimed a financial-services victim (Hana Financial) and introduced USB spreading and Windows Credential Manager theft. #Sinobi #Lynx #HanaFinancial

Keypoints

  • Sinobi emerged late June 2025 and is assessed to be a rebrand of the Lynx ransomware gang, inheriting mature operational playbooks.
  • The group uses double extortion: large-scale data exfiltration prior to AES/RSA hybrid file encryption that appends the .SINOBI extension and drops README.txt ransom notes.
  • First publicly reported victim is Hana Financial, confirmed by HookPhish and multiple news outlets.
  • New capabilities include spreading via USB removable media and stealing credentials from Windows Credential Manager to improve lateral movement and persistence.
  • Attack chain follows multi-stage ransomware kill chain: initial access via phishing (T1566) and vulnerability exploitation (T1190), execution/persistence with living-off-the-land (T1059, T1547), privilege escalation and defense evasion (T1134, T1562.001, T1490), data exfiltration and encryption (T1041, T1486), and impact/negotiation (T1491.001).
  • Static analysis links Sinobi to INC and Lynx through code similarity and shared APIs/functions; demonstrates sophisticated multi-threaded encryption, privilege adjustments (SeTakeOwnershipPrivilege), and programmatic ransomware presentation (wallpaper README image).
  • Known IOCs include multiple SHA256 hashes for Sinobi/Lynx samples and numerous public and Tor-based leak/negotiation domains used by the group.

MITRE Techniques

  • [T1566 ] Phishing – Attackers craft deceptive emails with malicious links or attachments to execute initial payload: ‘Attackers craft deceptive emails containing malicious links or attachments…which silently executes the initial malware payload.’
  • [T1190 ] Exploit Public-Facing Application – Scanning and exploiting unpatched internet-facing services (VPN/RDP/web servers) to gain access: ‘the group scans the internet for public servers with unpatched software vulnerabilities…they can gain direct access to a network without needing to trick a user.’
  • [T1059 ] Command and Scripting Interpreter (Living off the Land) – Use of native tools like cmd.exe and PowerShell to execute commands and blend with admin activity: ‘they leverage built-in utilities like the cmd.exe and PowerShell to carry out commands.’
  • [T1547 ] Boot or Logon Autostart Execution – Establishing persistence via scheduled tasks, startup folders, and registry run keys to survive reboots: ‘commonly achieved by creating scheduled tasks…or by adding entries to system startup folders and registry run keys.’
  • [T1134 ] Access Token Manipulation – Gaining administrative privileges by manipulating process access tokens and enabling SeTakeOwnershipPrivilege: ‘the malware enables the SeTakeOwnershipPrivilege on its own process…allowing it to take ownership of any file or directory.’
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – Terminating processes and stopping services for AV/EDR/backup (e.g., keywords sql, veeam, backup, exchange): ‘terminate processes and stop services associated with antivirus software, EDR, and backup applications…kill processes with names containing keywords like sql, veeam, backup, and exchange.’
  • [T1490 ] Inhibit System Recovery – Deleting Windows Volume Shadow Copies using commands like vssadmin delete shadows /all /quiet to prevent recovery: ‘systematically deletes Windows Volume Shadow Copies…by executing commands such as vssadmin delete shadows /all /quiet.’
  • [T1041 ] Exfiltration Over C2 Channel – Quietly copying large volumes of sensitive data to remote attacker-controlled servers prior to encryption: ‘attackers quietly copy large volumes…and transfer it to their own secure, remote servers.’
  • [T1486 ] Data Encrypted for Impact – Hybrid AES/RSA (and prior use of Curve25519) file encryption, appending .SINOBI extension to encrypted files: ‘Sinobi uses a hybrid cryptographic scheme…and encrypted files are renamed with the .SINOBI file extension.’
  • [T1491.001 ] Impact: Demand Ransom – Dropping README.txt, setting wallpaper, directing victims to Tor .onion negotiation portals, and threatening data leaks/double ransom: ‘a text file named README.txt is dropped…the ransom note instructs the victim to download the Tor browser and navigate to a specific .onion address.’
  • [T1091 ] Replication Through Removable Media – Scanning USB bus, detecting removable media with GetDriveTypeW, and copying itself to USB drives to spread: ‘capable of scanning the system’s USB bus…detecting connected removable media and copying itself to those drives.’
  • [T1555.004 ] Credentials from Windows Credential Manager – Abusing vaultcmd.exe or CredEnumerateA to harvest stored credentials from Windows Credential Manager: ‘target and steal credentials from the Windows Credential Manager…using native Windows tools like vaultcmd.exe or by abusing Windows APIs such as CredEnumerateA.’

Indicators of Compromise

  • [File Hash ] Known Sinobi/Lynx sample hashes – d4919a7402d7ae02516589fbdfb3cc436749544052843a37b5d36ac4b7385b18, ecbfea3e7869166dd418f15387bc33ce46f2c72168f571071916b5054d7f6e49, and other hashes (and 8 more hashes).
  • [Filename/Extension ] Ransom note and encrypted files – README.txt ransom note, files appended with .SINOBI extension.
  • [Domain/URL ] Public and Tor leak/negotiation sites – blog.sinobi.us[.]org/leaks/, multiple sinobi*.onion/leaks and sinobi*/login .onion negotiation portals (several listed).
  • [Victim ] Affected organization – Hana Financial confirmed as a Sinobi victim (financial services sector).

Read more: https://vampir3blu.es/posts/1/