Sinobi

Sinobi is a ransomware-as-a-service (RaaS) cybercrime operation first observed in 2025, with reporting placing its emergence in mid-2025 and operational visibility at scale in 2025 after surfacing in late 2024. Multiple sources assess Sinobi as a rebrand, splinter, or direct successor of the Lynx ransomware group, with Lynx itself described as having evolved from the INC ransomware family. Supporting reporting also states that INC source code was sold in 2024 to at least three parties and that Lynx and Sinobi are believed to use related strains. Technical comparisons cited in the content report substantial code overlap between Sinobi and Lynx/INC, consistent with shared tooling or shared source code. Sinobi is described as operating with a hybrid model combining a closed set of trusted affiliates and in-house operators. Sinobi uses double extortion, stealing data prior to encryption and threatening publication on a Tor-based leak site. The ransom note reportedly states the group is financially motivated and not politically motivated. Observed initial access methods include compromised VPN and RDP credentials, phishing, and exploitation of vulnerabilities including CVE-2024-53704 affecting SonicWall SSL VPN authentication and CVE-2024-40766 related to improper access control. Reported tradecraft includes credential-based access, creation of new local administrator accounts, addition of accounts to Domain Admins, domain and share enumeration, living-off-the-land lateral movement, removal of Carbon Black EDR using discovered uninstall credentials, exfiltration with Rclone, termination of SQL, backup, and Exchange-related processes, deletion of Volume Shadow Copies, clearing of the Recycle Bin, mounting hidden drives, and setting a ransom wallpaper. Encrypted files are renamed with the .SINOBI extension, and README.txt ransom notes are dropped with Tor-based negotiation instructions and often a seven-day deadline. The malware is described as using Curve25519 for key exchange and AES-128-CTR for file encryption. Victimology in the content indicates Sinobi primarily targets medium-to-large organizations where downtime is critical, with sectors including manufacturing, healthcare, financial services, education, and construction. Several sources specifically note strong healthcare targeting, including biotechnology firms and specialized healthcare companies, and continued interest in healthcare organizations. One source states Sinobi explicitly targets US mid-market manufacturing and construction, with 76.2% of victims in the United States. Additional activity is noted in Canada, Australia, and the United Kingdom. The content also describes Sinobi as one of the most active ransomware brands in 2025 and Q1 2026, appearing among leading and top-20 groups by victim volume. Named victim examples in the content include Windward Life Care, where Sinobi claimed to have encrypted files and exfiltrated 25 GB of data and added the victim to its leak site on January 5, 2026; Pecan Tree Dental, PLLC; and Geoplin, where reporting cited an $8.2 million demand. Known alias/related lineage mentioned in the content includes Lynx and the INC ransomware family.