Sinobi
Sinobi is a ransomware operation first observed in mid-2025, with reporting placing its emergence around July 2025. Multiple sources describe it as a rebrand of Lynx ransomware or a close relative of the Lynx ecosystem, and broader reporting links both Lynx and Sinobi to propagation of the INC ransomware codebase following underground sales of INC Windows and Linux variants in May 2024. Researchers reported significant code similarities among INC, Lynx, and Sinobi.
Sinobi is associated with double-extortion style activity, including data exfiltration prior to encryption. Reported technical characteristics include use of the encrypted file extension .SINOBI and a crypto implementation described as Curve-25519 with AES-128-CTR. Reporting also states Sinobi has been deployed via compromised SonicWall VPNs. Additional observed initial access methods include access obtained through Initial Access Broker activity, commodity phishing kits, exploitation of vulnerable VPN, Citrix, and Fortinet appliances, and in one documented case, compromised third-party provider credentials that enabled domain-level access.
Victimology indicates Sinobi has targeted healthcare, biotechnology, manufacturing, construction, renewables, telecommunications, and other industrial organizations. Trellix described Sinobi as a new ransomware group focusing on biotechnology firms and other specialized healthcare companies. Dragos reported Sinobi accumulated 42 claimed victims after first observation in July 2025, including 23 industrial organizations across manufacturing, construction, renewables, and telecommunications. Other reporting noted healthcare attacks, including a ransomware incident affecting Central Jersey Medical Center in New Jersey with 88,000 affected individuals attributed to the Sinobi ransomware group.
Sinobi was also tracked as one of the more active ransomware brands in late 2025, including reporting that it accounted for 15% of ransomware attacks in October 2025. Activity reporting cited 7 incidents in one period affecting healthcare and manufacturing, and another source noted a decline from 139 victims to 80 over a later measurement window. High-confidence identifiers directly mentioned in the content are the name Sinobi and the encrypted extension .SINOBI.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Impact
1 technique
Impact
INC has evolved from an emerging ransomware-as-a-service (RaaS) operation... discovered in mid-2023, INC ransomware is another RaaS group that employs double extortion tactics... After staging and exfiltrating the data, INC ransomware actors run the encryptor across the environment.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Sinobi is described as a related ransomware family that appeared after the sale of INC's ransomware variants, with significant code similarities identified by researchers.
Ransomware operation that appeared after the sale of INC source code and is described as part of adjacent operations influenced by the INC codebase.
A ransomware operation that experienced a sharp decline in activity after a strong start to the quarter and is described as targeting US mid-market manufacturing and construction.
A ransomware brand identified by Google as one of the most active in 2025.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.