Dark Web Profile: Sinobi Ransomware

Sinobi Ransomware is a cybercrime operation that emerged in mid-2025, operating as a Ransomware-as-a-Service model. It is believed that the group is a rebrand or direct successor of the Lynx Ransomware group, which itself evolved from the INC Ransomware family.

Who Is Sinobi Ransomware?

The group calls itself Sinobi, which closely resembles Shinobi (ninja), a term that appears across video games, film, music, comics, and entertainment, most notably in Sega’s long running Shinobi game series and other media titles.

Sinobi Ransomware Threat Actor Card

The group’s identity and origins reveal several important characteristics. Technical analysis shows significant code overlaps between Sinobi and Lynx, suggesting the group represents a continuation of established criminal operations rather than a new entity.

Unlike RaaS groups that recruit extensively, Sinobi employs a hybrid model relying on a closed, private network of trusted affiliates and in-house operators. This selective approach allows them to maintain high operational security and evade law enforcement infiltration.

BinDiff analysis shows a strong code relationship between the samples. The binaries of Lynx ransomware and Sinobi ransomware share 63.2% function similarity, while INC Ransom and Sinobi share 55.9%. This pattern fits the reported lineage where Sinobi derives from Lynx, and Lynx derives from INC.

Lynx vs Sinobi Ransomware code comparison

INC Ransom vs Sinobi code comparison

What Are Sinobi Ransomware’s Targets?

Industry Distribution of Sinobi Ransomware Victims

Sinobi employs a double extortion strategy, stealing sensitive data to threaten publication before encrypting victim files. The group targets medium-to-large organizations where downtime is critical, with primary sectors including manufacturing, healthcare, financial services, and education. The majority of Sinobi’s victims are located in the United States, followed by activity in Canada, Australia, and the United Kingdom.

Country Distribution of Sinobi Ransomware Victims

The similarities between Sinobi and Lynx represent the fundamental evidence that leads us to believe Sinobi is not an entirely new threat group but rather a rebranded version of Lynx, a Ransomware-as-a-Service (RaaS) group that first emerged in 2024.

Additionally, the infrastructure used by the group is believed to be based on the INC Ransomware source code purchased from a Dark Web forum.

INC Ransom source code sale on a Dark Web Forum, SOCRadar Dark Web Intelligence

The Dark Web post that the INC source code was offered for sale on dark web forums gives context to those BinDiff results. When source code is sold, buyers often keep the core. They change branding, configuration, and some modules. Over time, each fork adds small changes. This creates a gradual drop in similarity across generations while preserving the main architecture.

Sinobi Ransomware Data Leak Site (DLS)

In addition, their leak sites also show similarities in design and publication. All these findings suggest that Sinobi is not an independent project. It is likely a derivative built on the Lynx code base, which itself reused INC components. Code similarity alone does not prove the same operators but it does show shared tooling or shared source. From a defensive view, detections created for one family can help detect the others, since their internal logic and behavior remain closely related.

How Does Sinobi Ransomware Operate?

The Sinobi Ransomware Attack Lifecycle

1. Initial Access

Sinobi operators first obtained entry into the target environment through compromised credentials for remote access services. Observed access vectors included VPN gateways and Remote Desktop Protocol accounts. In parallel, the intrusion showed exploitation of known vulnerabilities such as CVE-2024-53704 affecting SonicWall SSL VPN authentication and CVE-2024-40766 related to improper access control. Phishing emails with malicious attachments or embedded links were also identified as a supporting entry vector.

2. Privilege Escalation and Persistence

After gaining entry, the operators escalated privileges and established persistence. They created new local administrator accounts and, in the observed incident, added accounts to the Domain Admins group. Scripts were also executed to enumerate domain structure, identify file shares, and locate privileged accounts. Legitimate administrative utilities were used for lateral movement, consistent with living-off-the-land techniques.

3. Defense Evasion

The operators then neutralized security controls before deploying ransomware. They located uninstall credentials for Carbon Black EDR on a network share and used these credentials to remove the product. This stage reduced detection risk and allowed unrestricted movement inside the environment.

4. Lateral Movement 

Using built-in administrative tools and compromised credentials, the attackers moved across hosts to reach high-value systems such as database servers, backup infrastructure, and mail servers. This phase ensured access to sensitive data and systems that would increase operational impact during encryption.

5. Data Collection and Exfiltration

Prior to encryption, the operators collected sensitive information, including financial records, intellectual property, and customer data. Exfiltration was performed with the command line utility Rclone, which transferred data to attacker-controlled infrastructure. The stolen data was later referenced in extortion attempts through a Tor-based leak platform.

6. Ransomware Deployment and Encryption

The ransomware payload, observed under generic names such as bin.exe, executed high-speed encryption across accessible systems. The malware used Curve-25519 for key exchange and AES-128-CTR for symmetric file encryption, with unique keys generated per file through CryptGenRandom. Processes associated with SQL servers, backup services, and Exchange were terminated to release locked files.

Recovery mechanisms were targeted by deleting Volume Shadow Copies through DeviceIOControl calls that resized shadow storage to zero. The Recycle Bin was cleared using the SHEmptyRecycleBinA API, and hidden drives were mounted and encrypted.

After encryption, the malware created a ransom wallpaper by modifying the registry key HKCUControl PanelDesktopWallpaper. Encrypted files were renamed with the .SINOBI extension, and a README.txt ransom note was placed in affected directories. The note included a victim identifier, instructions for Tor-based negotiation, and a countdown timer, often set to seven days.

The final stage combined system encryption with threats to release stolen data publicly. This model increased leverage and pressured victims into payment.

Sinobi Ransomware Ransom Note (Source)

The group clearly states in their ransom note (README.txt) that they lack political motivation, explicitly declaring that they are not a politically motivated group and are only interested in money. They provide victims with private chat rooms accessible through the Tor browser for communication, giving them seven days to respond and threatening to publish stolen data if payment is not made.

How to Defend Against Sinobi Ransomware?

• Focus on prevention. Sinobi uses strong encryption that prevents recovery without the attacker’s key.

• Secure remote access. Restrict VPN privileges. Avoid assigning domain admin rights to remote accounts. Patch VPN appliances and internet facing systems.

• Protect EDR and AV from tampering. Do not store uninstall or deregistration codes on file shares. Enable anti tamper settings in security tools.

• Monitor for living off the land activity. Alert on Rclone usage, new local administrator accounts, and changes to the Domain Admins group.

• Maintain offline and immutable backups. Sinobi deletes Volume Shadow Copies and targets local recovery options.

• Use behavioral and anomaly based detection. Look for privilege escalation, admin account creation, and suspicious encryption patterns.

• Train employees against phishing and social engineering.

• Maintain strict patch management across operating systems and software.

Conclusion

Available evidence suggests that the Sinobi operators did not develop a ransomware platform from the ground up. The malware shows structural and operational similarities with activity attributed to INC Ransom and Lynx. The overlap also appears in tooling choices, infrastructure patterns, and execution logic. This pattern is consistent with actors obtaining leaked or traded ransomware builders from dark web forums and modifying them for new campaigns. In this context, Sinobi is likely a rebrand or continuation of an existing operator cluster rather than an independent group.

This reuse model lowers the barrier to entry. Threat actors can adopt proven codebases and focus on intrusion tradecraft. The result is faster campaign deployment and reduced development cost. On the other side, attribution becomes difficult because branding changes while code lineage remains similar.

Tracking threat actors across rebrands is therefore essential. Malware families evolve through code sharing, affiliate migration, and underground market exchanges. Without actor-level tracking, defenders may treat related campaigns as isolated incidents. This leads to incomplete risk assessment and delayed response planning.

How SOCRadar Can Support Defense Efforts?

• Attack Surface Management (ASM): Identifies exposed RDP services, VPN portals, and forgotten internet-facing assets that ransomware operators often exploit for initial access.
• Vulnerability Intelligence: Correlates external exposure with exploit activity and threat actor behavior, helping teams prioritize patches for services already abused in ransomware campaigns.
• Dark Web Monitoring: Tracks ransomware leak sites, underground forums, and extortion channels for early signals of data exposure or victim listings related to Sinobi operations.
• Threat Actor Intelligence: Provides visibility into Sinobi-related tactics, techniques, and procedures, enabling defenders to align detection and response with current ransomware behavior.

SOCRadar Threat Actor Intelligence

By combining external exposure visibility with underground intelligence, security teams gain earlier warning signals and stronger context to disrupt Sinobi attacks before encryption or destructive wiping is triggered.