Threat Research

Dark Web Profile: Sinobi Ransomware

SocRadar
Dark Web Profile: Sinobi Ransomware

Sinobi is a Ransomware-as-a-Service operation that emerged in mid-2025 and appears to be a rebrand or successor to the Lynx and INC Ransom families based on significant code overlap. The group uses a closed affiliate model and double-extortion tactics—gaining access via compromised credentials and CVE exploits, exfiltrating data with Rclone, and encrypting files with Curve-25519/AES-128-CTR to demand payment. #Sinobi #Lynx

Keypoints

  • Sinobi likely derives from Lynx and INC ransomware families, showing 63.2% and 55.9% function similarity respectively, indicating shared codebase and tooling.
  • The group operates a closed, selective RaaS model using trusted affiliates and in-house operators to maintain operational security and limit infiltration.
  • Primary targets are medium-to-large organizations in manufacturing, healthcare, financial services, and education, with most victims in the United States.
  • Initial access vectors include compromised VPN/RDP credentials, phishing, and exploitation of public-facing vulnerabilities (e.g., CVE-2024-53704, CVE-2024-40766).
  • Operators perform privilege escalation, lateral movement with legitimate admin tools, EDR tampering (using found uninstall credentials), data exfiltration via Rclone, then high-speed encryption and data-leak extortion.
  • Ransomware uses Curve-25519 and AES-128-CTR, renames files with the .SINOBI extension, deletes Volume Shadow Copies, clears Recycle Bin, and posts victims on a Tor-based leak site.

MITRE Techniques

  • [T1587.001 ] Develop Capabilities: Malware – Authors reused and modified existing ransomware source code and builders. (‘INC Ransom source code sale on a Dark Web Forum’)
  • [T1588.002 ] Obtain Capabilities: Tool – Operators acquired or reused tooling/components from underground markets to build Sinobi. (‘When source code is sold, buyers often keep the core. They change branding, configuration, and some modules.’)
  • [T1078 ] Valid Accounts – Initial access was achieved using compromised credentials for VPN and RDP accounts. (‘Sinobi operators first obtained entry into the target environment through compromised credentials for remote access services.’)
  • [T1566 ] Phishing – Phishing emails with malicious attachments or links were used as a supporting access vector. (‘Phishing emails with malicious attachments or embedded links were also identified as a supporting entry vector.’)
  • [T1190 ] Exploit Public-Facing Application – Known vulnerabilities in internet-facing appliances were exploited (e.g., SonicWall CVE-2024-53704). (‘exploitation of known vulnerabilities such as CVE-2024-53704 affecting SonicWall SSL VPN authentication’)
  • [T1569.002 ] System Services: Service Execution – The ransomware executed via service execution mechanisms to run payloads across targets. (‘The ransomware payload … executed high-speed encryption across accessible systems.’)
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Scripts and shell commands were used to enumerate domain structure and perform network tasks. (‘Scripts were also executed to enumerate domain structure, identify file shares, and locate privileged accounts.’)
  • [T1106 ] Native API – The malware used native Windows APIs for actions like clearing the Recycle Bin and modifying shadow storage. (‘The Recycle Bin was cleared using the SHEmptyRecycleBinA API’)
  • [T1203 ] Exploitation for Client Execution – The campaign included exploitation and execution techniques to run malicious payloads on victim hosts. (‘Phishing emails with malicious attachments … were also identified as a supporting entry vector.’)
  • [T1068 ] Exploitation for Privilege Escalation – Operators exploited weaknesses or misconfigurations to escalate privileges and add accounts to Domain Admins. (‘they added accounts to the Domain Admins group’)
  • [T1027 ] Obfuscated Files or Information – Ransomware and related components used obfuscation to hinder analysis and detection. (‘The malware shows structural and operational similarities with activity attributed to INC Ransom and Lynx.’)
  • [T1070.004 ] Indicator Removal: File Deletion – The threat removed recovery artifacts such as Volume Shadow Copies to prevent restoration. (‘Recovery mechanisms were targeted by deleting Volume Shadow Copies through DeviceIOControl calls that resized shadow storage to zero.’)
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – Operators disabled or removed EDR protections using found uninstall credentials. (‘They located uninstall credentials for Carbon Black EDR on a network share and used these credentials to remove the product.’)
  • [T1083 ] File and Directory Discovery – Attackers enumerated file shares and directories to locate high-value data for exfiltration and encryption. (‘Scripts were also executed to enumerate domain structure, identify file shares, and locate privileged accounts.’)
  • [T1046 ] Network Service Discovery – Network service discovery was used to find reachable systems like database servers and backups. (‘Using built-in administrative tools and compromised credentials, the attackers moved across hosts to reach high-value systems such as database servers, backup infrastructure, and mail servers.’)
  • [T1087.002 ] Account Discovery: Domain Account – The intruders performed account discovery to find privileged accounts and escalate access. (‘Scripts were also executed to … locate privileged accounts.’)
  • [T1573.001 ] Encrypted Channel: Symmetric Cryptography – Data in transit and stored artifacts used strong cryptography: Curve-25519 for key exchange and AES-128-CTR for file encryption. (‘Curve-25519 for key exchange and AES-128-CTR for symmetric file encryption’)
  • [T1486 ] Data Encrypted for Impact – Files were encrypted and renamed with a .SINOBI extension, and ransom notes were left for victims. (‘Encrypted files were renamed with the .SINOBI extension, and a README.txt ransom note was placed in affected directories.’)
  • [T1489 ] Service Stop – Processes and services (SQL, backup, Exchange) were terminated to release files for encryption and increase impact. (‘Processes associated with SQL servers, backup services, and Exchange were terminated to release locked files.’)

Indicators of Compromise

  • [File Names ] ransomware payloads and notes – bin.exe, README.txt
  • [File Extension ] encrypted file marker – .SINOBI
  • [Tools ] exfiltration and tooling – Rclone (used to transfer stolen data), and references to standard admin utilities used for lateral movement
  • [Vulnerabilities ] exploited public-facing systems – CVE-2024-53704 (SonicWall SSL VPN), CVE-2024-40766 (improper access control)
  • [Leak Sites / Extortion Channels ] public disclosure platforms – Sinobi Ransomware Data Leak Site, Tor-based leak platform (used to publish stolen data and host victim negotiation)
  • [Registry Key ] visual/locker artifact – HKCUControl PanelDesktopWallpaper (modified to set ransom wallpaper)
  • [Credentials / Artifacts ] credential storage misuse – uninstall credentials for Carbon Black EDR found on a network share (used to disable EDR)

Read more: https://socradar.io/blog/dark-web-profile-sinobi-ransomware/