Sinobi: A New Name for a Known Threat

In late June 2025, a new ransomware variant named Sinobi emerged on the cybercrime landscape. Analysis indicates that Sinobi is not a new threat actor but a rebrand of the Lynx ransomware gang, a group that was active from mid 2024 to early 2025. This claim is supported by multiple cybersecurity news outlets. Risky Biz News and a report from ASEC both state that Sinobi is suspected to be a rebrand of Lynx. This lineage suggests Sinobi possesses a mature operational playbook and a technical arsenal from its very inception.

The website is almost identical to the site used by the Lynx ransomware group, while Lynx’s attacks decreased over the past weeks.

The group has listed its first victim, an organization operating in the financial services sector. A report from HookPhish confirms that Hana Financial was a victim of the Sinobi ransomware group.

The Sinobi group is a financially motivated criminal enterprise that employs a double extortion model. A report by CYFIRMA confirms these Tactics, Techniques, and Procedures (TTPs). It states that Sinobi uses a combination of AES and RSA encryption, appends the .SINOBI extension, and drops a “README.txt” ransom note. WatchGuard’s ransomware tracker also lists Sinobi and its use of double extortion.

Sinobi is not just a name change but an evolution of its predecessor’s tools. The new variant uses updated tactics, including the ability to spread through USB devices and steal stored passwords directly from the Windows Credential Manager, improving its capacity for lateral movement and privilege escalation.

Its lineage from the successful Lynx operation means it has the experience, infrastructure, and motivation to target a wide range of global industries. Intelligence assessments indicate the group is likely to expand its targeting beyond traditional sectors into high pressure environments like healthcare and manufacturing, where any disruption can have severe consequences.

Threat Actor Profile: From Lynx to Sinobi

#

To understand Sinobi, we need to look at its origins. This lineage demonstrates a clear pattern of strategic adaptation and operational professionalization, culminating in the threat that Sinobi represents today.

From INC to Lynx to Sinobi

#

INC Ransomware

#

In August 2023, a ransomware group known as INC Ransomware began its operations. In a move that led to the creation of the groups that followed, the operators of INC put their ransomware source code up for sale on a dark web forum in May 2024 for $300,000. This practice allows other criminals to launch their own operations without investing in development from scratch.

The Rise of the Lynx RaaS

#

Just two months later, in July 2024, Lynx ransomware emerged. CybelAngel reports that Lynx ransomware is considered a rebranded version of INC ransomware, with a 48% overall code similarity and 70.8% similarity in specific functions, providing strong evidence that the Lynx operators had purchased and adapted the INC code. Lynx quickly established itself as a RaaS operation, building a network of affiliates to carry out attacks.

Sinobi Emerges

#

By late June 2025, Lynx became well known to security researchers and law enforcement. Now, the group went dormant and emerged under a new name: Sinobi. This rebranding allows the group to shed its notoriety, forcing security vendors and analysts to reestablish tracking and attribution. This maneuver demonstrates not just technical skill but also operational expertise, aimed at ensuring the longevity of their criminal enterprise.

Motivation and Targeting

#

The Sinobi group’s motivations are explicitly and exclusively financial. The ransom note left by the Sinobi malware clearly states “We are not politically motivated”. This aligns perfectly with the public statements and behavior of its predecessor, Lynx, which declared its core motivation was “grounded in financial incentives”.

Lynx targeted any organization where operational disruption could be monetized. Its victim list spanned manufacturing, construction, finance, retail, and real estate, with a geographical focus on North America and Europe. CYFIRMA Intelligence Report suggest that Sinobi will continue this trend and potentially broaden its scope to include high value sectors like healthcare and manufacturing, where downtime is exceptionally costly and the incentive to pay a ransom is correspondingly high.

The Sinobi Kill Chain

#

A typical ransomware attack is not a single event but a multi-stage intrusion that last several days. The median time from an attacker’s initial access to the final deployment of ransomware is approximately six days, a period during which they conduct reconnaissance steal data, and disable defenses.

Phase 1: Initial Access (T1566, T1190)

#

Attackers use two primary methods to gain their initial foothold in a target network. This strategy allows them to be flexible, targeting both the human and technical layers of an organization’s defenses.

• Phishing (T1566): This is the most common attack vector. Attackers craft deceptive emails containing malicious links or attachments. These emails are designed with social engineering lures to trick an employee into clicking the link or opening the file, which silently executes the initial malware payload, giving the attackers a foothold inside the network.

• Exploiting Vulnerabilities (T1190): The group scans the internet for public servers with unpatched software vulnerabilities. By exploiting these known security flaws in systems like VPNs, RDP, gateways, or web servers, they can gain direct access to a network without needing to trick a user. While specific CVEs exploited by Lynx or Sinobi are not publicly documented, similar ransomware groups frequently target known flaws in products from Fortinet, Citrix, and Microsoft to achieve initial access.

Phase 2: Execution and Persistence (T1059, T1547)

#

Once inside, the attackers execute their malicious code and establish a persistent presence to ensure their access survives system reboots or other disruptions.

• Execution via Legitimate Tools (T1059): A key to their stealth is the use of legitimate system administration tools, a technique known as Living off the Land. They leverage built-in utilities like the cmd.exe and PowerShell to carry out commands. Because these tools are native to the operating system and used for legitimate purposes, their malicious use is less likely to be flagged by basic security software, helping the attackers blend in with normal administrative activity.

• Establishing Persistence (T1547): To ensure their malware remains active, the attackers establish persistence. This is commonly achieved by creating scheduled tasks that automatically re-launch their malicious tools at set intervals or by adding entries to system startup folders and registry run keys, which execute their code every time the computer is turned on.

Phase 3: Privilege Escalation and Defense Evasion (T1134, T1562, T1490)

#

Before launching the main attack, the intruders work systematically to dismantle the victim’s defenses and gain complete control over the environment. This phase is a methodical neutralization of the target’s ability to detect or recover from the attack.

• Gaining Administrative Privileges (T1134): To encrypt all files on a system and across a network, the malware requires the highest level of permissions. It uses advanced techniques to achieve this, such as manipulating process access tokens. Specifically, the malware enables the SeTakeOwnershipPrivilege on its own process, which allows it to take ownership of any file or directory on the system, bypassing standard security restrictions and granting it the power to modify or encrypt even protected system files.

• Disabling Security Tools (T1562.001): The malware is designed to terminate processes and stop services associated with antivirus software, EDR, and backup applications. The Lynx variant was known to specifically kill processes with names containing keywords like sql, veeam, backup, and exchange to ensure that the encryption process is not interrupted and that critical databases and backup agents are offline.

• Deleting Backups (T1490): A crucial step is to eliminate the victim’s ability to recover their data without paying the ransom. The malware systematically deletes Windows Volume Shadow Copies, which are built-in restore points, by executing commands such as vssadmin delete shadows /all /quiet. This action makes it nearly impossible for users to restore their files using native Windows tools, leaving them dependent on dedicated offline backups, if they exist.

Phase 4: Double Extortion (T1041, T1486)

#

With defenses disabled and full administrative control achieved, the attackers execute their two-part primary mission, designed to maximize both psychological and financial leverage.

• Data Exfiltration (T1041): Before a single file is encrypted, the attackers quietly copy large volumes of the victim’s most sensitive financial records, customer info, intellectual property, legal documents, and transfer it to their own secure, remote servers. This stolen data becomes the first powerful lever for extortion.

• Data Encryption for Impact (T1486): Once the data is secured, the ransomware payload is activated.

  File Encryption: Sinobi uses a hybrid cryptographic scheme that is effectively unbreakable. The process combines a fast, strong symmetric algorithm like AES with a robust asymmetric algorithm like RSA. The Lynx predecessor used a specific implementation with AES for file encryption and the ECC algorithm Curve25519 for key exchange. In this scheme, a unique AES key is generated for each file. All of these individual file keys are then encrypted with the attacker’s public RSA/ECC key and appended to the encrypted file.

  File Modification: All encrypted files are renamed with the .SINOBI file extension, making them easily identifiable and unusable.

  

Phase 5: Impact and Negotiation (T1491.001)

#

The final phase is designed to ensure the victim is immediately aware of the attack and is guided into the attackers’ payment process.

• Visual Intimidation and Ransom Note: A text file named README.txt is dropped into every directory containing encrypted files. This note contains a unique victim ID and instructions on how to contact the attackers.

• Communication and Ransom Demand: The ransom note instructs the victim to download the Tor browser and navigate to a specific .onion address, leading to a chat portal where negotiations begin. The attackers typically provide proof that they can decrypt a few files for free to demonstrate their capability and also provide samples of the sensitive data they have stolen. A deadline is set, with threats that the ransom demand will double or the stolen data will be leaked publicly if payment is not made in time.

New Capabilities of the Sinobi Variant

#

Intelligence on the Sinobi variant points to two significant new capabilities that increase its potential for lateral movement and credential theft, making it a more formidable threat than its predecessor.

Lateral Movement via Removable Media (T1091)

#

According to CYFIRMA , the primary evolution in the Sinobi variant would be a mechanism to spread via USB devices. The malware being capable of scanning the system’s USB bus, detecting connected removable media and copying itself to those drives. This tactic changes the threat model for containment and spread.

The implications of this capability are threefold:

1. Accelerated Internal Spread: Employees frequently move USB drives between workstations, creating a highly effective propagation vector that can quickly spread the infection across a network, bypassing some network-based security controls.

2. Breaching Network Segments: A USB spread mechanism can traverse network segmentation boundaries. An infected device in a less secure segment can pass the malware to a USB drive, which an authorized user might then plug into a machine in a more secure, isolated segment.

3. Threat to Air-Gapped Systems: This capability poses a threat to networks that are physically disconnected from the internet and other corporate networks for maximum security. The only way to transfer data to or from such systems is typically via removable media.

The addition of this “worm-like” feature would demonstrate a strategic effort by the Sinobi developers to overcome common network security architectures and makes containment of an infection more challenging.

Advanced Credential Access via Windows Credential Manager (T1555.004)

#

The second major evolution observed in Sinobi is its ability to directly target and steal credentials from the Windows Credential Manager.

By targeting this repository, Sinobi uses a stealthier method of credential harvesting compared to active techniques like keylogging or memory scraping with tools like Mimikatz. This can be made using native Windows tools like vaultcmd.exe or by abusing Windows APIs such as CredEnumerateA to list the stored credentials.

By stealing these passwords, the Sinobi malware can authenticate to other systems on the network as a legitimate user, making its lateral movement much harder to detect than if it were using exploits. This shows that the group are refining their TTPs to be more efficient.

Static Analysis

#

The code has a match with Lynx and INC, revealing a wide range of capabilities designed for stealth, system disruption, and effective deployment of its ransomware payload.

main section

#

The main secton initiates the execution of other functions in a logical sequence to achieve total system compromise. It is responsible for:

• Initiating threads for parallel task execution.
• Calling functions to enumerate and encrypt files.
• Calling functions to manipulate system services.
• Displaying the ransom note.

.text:0000000140009530 loc_140009530:
.text:0000000140009530      mov     rcx, [rsi+rbx*8]
.text:0000000140009534      lea     rdx, aStopProcesses
.text:000000014000953B      call    cs:lstrcmpiW
.text:0000000140009541      test    eax, eax
.text:0000000140009543      jz      loc_140009693
.text:0000000140009549      inc     rbx
.text:000000014000954C      cmp     rbx, rdi
.text:000000014000954F      jl      short loc_140009530

.text:0000000140009E69      call    cs:GetSystemInfo
.text:0000000140009E6F      mov     eax, cs:SystemInfo.dwNumberOfProcessors
.text:0000000140009E8E      call    cs:CreateIoCompletionPort
.text:0000000140009EC1 loc_140009EC1:
.text:0000000140009EC8      lea     r8, sub_140006D40
.text:0000000140009EDD      call    cs:CreateThread
.text:0000000140009EEE      inc     rbx
.text:0000000140009EF1      cmp     rbx, rsi
.text:0000000140009EF4      jl      short loc_140009EC1

APIs Used

#

• GetCommandLineW, CommandLineToArgvW: Process CLI arguments.
• CreateThread: Create new threads and execute functions in parallel.
• CreateIoCompletionPort: Manage I/O operations to read and write a large number of files quickly.
• WaitForMultipleObjects: Synchronize the execution of different threads.
• SHEmptyRecycleBinA: Empty the Recycle Bin.
• Calls other functions like sub_140005D10, sub_140006A40, sub_140007150, sub_140008570, and sub_140008980.

sub_140005D10 and sub_140006040

#

These functions represent a evolution in this Sinobi variant, acting as the core of its reconnaissance and propagation mechanisms. They are responsible for identifying and listing all accessible disk drives and network shares, but their role is twofold and significantly more advanced:

1. Spread via USB Devices: The malware is capable of scanning the system for removable media, using GetDriveTypeW to specifically identify USB devices and FindFirstVolumeW to enumerate them, the malware can detect connected drives and copy itself to them, enabling it to spread to other networks.
2. Reconnaissance for Credential Theft: While enumerating network resources with functions like WNetEnumResourceW, the malware maps out the entire accessible environment, giving it the ability to directly target and steal credentials from the Windows Credential Manager. The malware can deploy modules that abuse Windows APIs like CredEnumerateA or native tools such as vaultcmd.exe to harvest stored credentials.

.text:0000000140005D10 sub_140005D10 proc near
.text:0000000140005D2D      call    cs:GetDriveTypeW
.text:0000000140005D33      cmp     eax, 5
.text:0000000140005D36      jz      loc_140005DA5
.text:0000000140005D38      cmp     eax, 2
.text:0000000140005D3B      jnz     loc_140005DB3

.text:0000000140006040 sub_140006040 proc near
.text:0000000140006059      call    cs:WNetOpenEnumW
.text:0000000140006093      call    cs:WNetEnumResourceW
.text:00000001400060C0      call    sub_140006240

APIs Used

#

• GetDriveTypeW: To determine the drive type, like removable drives (USBs).
• FindFirstVolumeW, FindNextVolumeW, FindVolumeClose: To enumerate all disk volumes on the system.
• WNetOpenEnumW, WNetEnumResourceW, WNetCloseEnum: To enumerate network resources, such as file shares, as part of its broader reconnaissance phase.

sub_140006240

#

A crucial function for the malware dissemination and persistence, traversing the filesystem to find files to encrypt. It can also be used to drop copies of the malware in other locations, including network drives, to infect other systems.

.text:0000000140006326      lea     rdx, asc_14002C4C0
.text:000000014000632D      call    cs:lstrcmpiW

.text:0000000140006362      mov     rcx, [rbp+arg_0]
.text:0000000140006366      call    sub_140006240

APIs Used

#

• FindFirstFileW, FindNextFileW: To search for files and directories.
• CreateFileW, WriteFile, CloseHandle: To create and write to files (likely for encrypting them or creating copies of the malware).
• CreateThread: Can start new threads to accelerate the encryption process or to execute other malicious tasks in the background.

sub_140006A40

#

This function was designed to ensure that the encryption process will not be interrupted. It may attempt to gain control over files that are in use by other processes, forcing them to close so they can be encrypted.

.text:0000000140006A40 sub_140006A40 proc near
.text:0000000140006A8D      call    cs:CreateFileW
.text:0000000140006A93      mov     rbx, rax
.text:0000000140006A96      cmp     rax, 0FFFFFFFFFFFFFFFFh
.text:0000000140006A9A      jz      loc_140006D31
.text:0000000140006AD5      mov     r9d, 90018h
.text:0000000140006ADB      xor     r8d, r8d
.text:0000000140006ADE      mov     rcx, rbx
.text:0000000140006ADF      call    cs:DeviceIoControl

APIs Used

#

• DeviceIoControl: To send low level control commands to device drivers, which can be used to force the unlocking of files.
• CreateThread: To execute tasks asynchronously.

sub_140006D40 and sub_140007150

#

These are the main encryption functions, they read the content of the files, encrypt it, and then write the encrypted content back to the disk. The function sub_140007150 also handle the import of encryption keys and the preparation of files for encryption.

.text:0000000140006DBC      call    cs:ReadFile
.text:0000000140006D8C      call    cs:WriteFile
.text:0000000140007307      call    cs:CryptStringToBinaryA
.text:0000000140006E1A      call    cs:PostQueuedCompletionStatus

APIs Used

#

• ReadFile, WriteFile: To read from and write to files.
• GetFileAttributesW, SetFileAttributesW: To manipulate file attributes.
• CryptStringToBinaryA: To convert a string into a binary format that can be used by cryptographic functions.
• PostQueuedCompletionStatus: To queue I/O operations on a completion port, which indicates a sophisticated design to maximize encryption speed.

sub_140007C30 and sub_140007E70

#

These functions are made to bypass system defenses and ensure the malware has the necessary privileges to operate. sub_140007C30 uses the Restart Manager to terminate processes or services that might be locking access to files, while sub_140007E70 attempts to elevate the malware privileges, allowing it to perform actions that would normally be restricted.

.text:0000000140007C30 sub_140007C30 proc near
.text:0000000140007C5D      call    cs:RmStartSession
.text:0000000140007C74      call    cs:RmRegisterResources
.text:0000000140007C8E      call    cs:RmGetList
.text:0000000140007CDE      call    cs:RmShutdown

.text:0000000140007E70 sub_140007E70 proc near
...
.text:0000000140007FE4      lea     rcx, SeTakeOwnershipPrivilege
.text:0000000140007FEB      call    cs:LookupPrivilegeValueW
...
.text:0000000140008035      call    cs:AdjustTokenPrivileges

APIs Used

#

• RmStartSession, RmRegisterResources, RmGetList, RmShutdown: Restart Manager functions used to identify and terminate processes that are using specific files.
• OpenProcess, TerminateProcess: Force the termination of processes.
• AllocateAndInitializeSid, SetEntriesInAclW, SetNamedSecurityInfoW: To manipulate security descriptors and gain access to files and other resources.
• AdjustTokenPrivileges: To obtain additional privileges for the malware’s process.

sub_140008980

#

This function creates and displays the ransom note, generating an image containing the text and then sets this image as the victim’s desktop wallpaper.

.text:0000000140008A89      call    cs:CreateFontW
.text:0000000140008AA4      call    cs:CreateCompatibleDC
.text:0000000140008AD8      call    cs:DrawTextA

.text:0000000140008C94      lea     rcx, aControlPanelDes
.text:0000000140008C9B      call    cs:RegOpenKeyW
.text:0000000140008CC4      call    cs:RegSetValueExW
.text:0000000140008CFB      call    cs:SystemParametersInfoW

APIs Used

#

• GetTempPathW: To get the path to the temporary directory where the ransom note image will be created.
• CreateFontW, GetDC, DrawTextA: To create the image with the ransom note text.
• RegOpenKeyW, RegSetValueExW, RegCloseKey: To modify the Windows Registry and set the new wallpaper.
• SystemParametersInfoW: To apply the wallpaper change.

sub_140009030

#

This is the encryption key generation function, it uses Windows cryptographic functions to generate random keys that will be used to encrypt the victim’s files.

.text:0000000140009030 sub_140009030 proc near
.text:00000001400090A1      call    cs:CryptAcquireContextW
.text:00000001400090F8      call    cs:CryptGenRandom
.text:0000000140009121      call    cs:CryptReleaseContext

APIs Used

#

• CryptAcquireContextW: To obtain a handle to a cryptographic service provider.

• CryptGenRandom: To generate cryptographically secure random data, which is used to create the encryption keys.

Static Analysis Conclusion

#

The static analysis of the Sinobi ransomware binary provides evidence of a sophisticated threat. The malware is a tool designed for stealth, resilience, and maximum operational impact. Each function serves a distinct purpose within a structured attack plan, confirming the TTPs outlined previously and revealing the technical depth of this evolved threat.

The key findings from the static code are:

• Advanced Execution: The main function acts as a central controller that parses CLI arguments for operational flexibility and launches a multi-thread attack using CreateIoCompletionPort and CreateThread, providing a high speed parallel execution to encrypt a system as quickly as possible.
• Systematic Defense Evasion: The malware proactively neutralizes system defenses by emplying Windows Restart Manager (sub_140007C30) to terminate processes that have locked critical files and elevates its own privileges by enabling SeTakeOwnershipPrivilege (sub_140007E70).
• Evolved Propagation and Reconnaissance: A significant evolution is evident in its propagation capabilities where the code in sub_140005D10 explicitly checks for removable drives using GetDriveTypeW, confirming its ability to spread via USB devices. This is complemented by network reconnaissance functions like WNetEnumResourceW, allowing it to map out its environment for further compromise.
• Robust Ransomware Lifecycle: The malware uses CryptGenRandom for secure key generation (sub_140009030), deploys a complex encryption routine and ensures the victim is immediately impacted by programmatically changing the desktop wallpaper to a ransom note (sub_140008980).

IOCs

#

Known File Hashes (SHA256)

#

This table provides unique cryptographic fingerprints for known Sinobi and Lynx ransomware executables.

Associated Domains and URLs

#

This table lists web addresses known to be used by the Sinobi group for their data leak site and negotiation portals.

Sources

#

• Sinobi Sample - Git
• Watchguard - Sinobi
• Ransomware.live - Sinobi
• Ransomware.live - Hana Financial
• DarkFeed
• Risky Bulletin
• Ransom & Dark Web Issues Week 2, July 2025
• HookPhish
• Weekly Intelligence Report – 11 July 2025
• Threat Actor Profile: INC Ransom
• Mphasis - INC ransomware source code selling on hacking forums
• Lynx Ransomware: Double Extortion, Ethics & Affiliate Payouts