In August 2025, eSentire’s Threat Response Unit (TRU) uncovered a major ransomware attack linked to the Sinobi Group, a threat actor suspected to be a rebrand of the Lynx Ransomware-as-a-Service (RaaS) operation that emerged in 2024.
Investigators established this connection based on significant code similarities and nearly identical data leak platforms, fueling evidence that Sinobi is a direct evolution of Lynx.
TRU’s analysis also suggests that Lynx acquired the INC Ransomware source code from a Russian-speaking hacker known as “salfetka,” who previously advertised the code for sale in underground forums.
Ransomware Rebrand with Advanced Tactics
Attackers initiated their campaign by leveraging compromised credentials from a managed service provider’s (MSP) SonicWall SSL VPN account, which had over-privileged domain administrator access.
With these credentials, they established direct Remote Desktop Protocol (RDP) access and created new local administrator accounts to facilitate lateral movement across the network. This allowed them to evade security controls and achieve extensive internal compromise.
Sophisticated Evasion and Encryption Techniques
The Sinobi Group affiliate methodically disabled endpoint protection by targeting VMware Carbon Black EDR.
Initial attempts via the command line and third-party utilities were unsuccessful, but attackers eventually accessed deregistration codes stored on network shares, allowing them to uninstall security software.
Once defenses were neutralized, sensitive company data was exfiltrated using RClone, a legitimate but frequently abused command-line tool for cloud file transfers. Exfiltrated files were sent to infrastructure commonly observed in global cyberattacks.
Deployment of the Sinobi Ransomware began after data exfiltration. The malware, almost identical to its Lynx predecessor, uses advanced encryption: Curve-25519 elliptic curve cryptography for key exchange and AES-128-CTR for file encryption.
Each file is encrypted with a unique, cryptographically secure key, making restoration of data impossible without the attacker’s private key.
The ransomware deletes the contents of the recycle bin, mounts hidden network volumes to maximize damage, and deletes Windows shadow copies using low-level device management APIs, thereby preventing conventional recovery methods.
During execution, Sinobi terminates standard backup and database processes, modifies file permissions to thwart recovery, and writes ransom notes to each directory, leaving a clear digital footprint.SINOBI–marked files and an altered desktop wallpaper accompany every attack.
eSentire has released forensic tools and scripts to help researchers analyze Sinobi’s cryptographic operations, though the robust key generation hampers decryption efforts.
Lessons and Recommendations
eSentire’s 24/7 SOC quickly contained the breach, isolated affected infrastructure, and coordinated remediation with the impacted organization.
The company’s TRU emphasized the crucial security lessons from this incident: organizations must avoid storing EDR uninstall codes in accessible file shares and restrict excessive remote access privileges, especially for accounts linked to VPN gateways.
Enhanced vulnerability management, rigorous patching, and enabling anti-tamper features on endpoint security tools are essential defenses against sophisticated ransomware operations, such as Sinobi.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=Sinobi Ransomware - In August 2025, eSentire’s Threat Response Unit (TRU) uncovered a major ransomware attack linked to the Sinobi Group.){kind=link}