Skip to content
Ransomware group Windows

Sinobi

Sinobi is a ransomware operation that emerged in mid-2025 and is widely assessed as a rebrand of, or very close relative to, the Lynx ransomware ecosystem, with broader lineage tied to the 2024 underground sale of INC ransomware source code.

Profile source: Mallory opens in a new tab

Sinobi

Family profile

Sinobi is a ransomware operation that emerged in mid-2025 and is widely assessed as a rebrand of, or very close relative to, the Lynx ransomware ecosystem, with broader lineage tied to the 2024 underground sale of INC ransomware source code. Code and tradecraft overlap reported among INC, Lynx, and Sinobi indicate that Sinobi belongs to the same evolving criminal cluster rather than an entirely distinct lineage.

Sinobi is used in double-extortion attacks, stealing data prior to encryption and then pressuring victims through extortion. Reported cryptographic implementation includes Curve25519 with AES-128-CTR, and encrypted files have been associated with a distinctive Sinobi-branded extension. The operation has been observed targeting Windows environments and is also linked through lineage reporting to Linux and ESXi-capable ransomware development inherited from the INC codebase, although direct Sinobi-specific cross-platform deployment details are less consistently documented.

Initial access associated with Sinobi includes credentials obtained through initial access broker activity, phishing, and exploitation of exposed edge infrastructure such as VPN, Citrix, Fortinet, and SonicWall appliances. One reporting stream specifically linked Sinobi deployment to compromised SonicWall VPN access. Victim access has also been obtained through compromised third-party provider credentials. Sector reporting shows notable activity against healthcare, biotechnology, specialized healthcare companies, manufacturing, construction, telecommunications, and other industrial organizations, with multiple references to healthcare-focused operations in 2025. Public victim-count reporting indicates Sinobi became one of the more active ransomware brands during late 2025, though activity levels fluctuated sharply over time.

Sinobi is best understood as part of the broader post-INC fragmentation of the ransomware ecosystem, where leaked or sold source code, affiliate migration, and rebranding have complicated attribution. Its operational profile aligns with modern ransomware crews that combine credential-driven intrusion, exploitation of perimeter appliances, data theft, and encryption-based extortion against enterprises with low tolerance for downtime.

Capabilities

  • Credential Theft
  • Exfiltration
  • Extortion
  • Initial Access

Ransomware.live

Operational record

View group record ↗

Exploited software

Vulnerabilities linked to Sinobi

3 CVEs

MITRE ATT&CK

Sinobi in ATT&CK

25 distinct techniques

Reporting

Research mentioning Sinobi

Jul 14
Cyberscoop

US sanctions First VPN and administrator for supporting ransomware | CyberScoop

TRM Labs said it has seen 1VPNS selling its services to ransomware operators for prices ranging from $723 for Anubis to $58 Sinobi.

Jun 24
Cyberandramen

INC Ransomware Targets Mainframes

The group claimed nearly 1,000 victims since its inception, and in 2024, the source code for both the Windows and Linux/ESXi encryptors were sold on underground forums. That sale gave rise to at least two families, Lynx and Sinobi, and introduced an attribution complexity that persist today.

Jun 19
Cysecurity News

INC Ransomware Climbs Into Top Tier of Cybercrime Operations, Surpasses 830 Victims - CySecurity News - Latest Information Security and Hacking Incidents

Acronis noted that the sale of INC's Windows and Linux ransomware variants on underground cybercrime forums in May 2024 contributed to the appearance of related ransomware families, including Lynx and Sinobi.

Jun 17
Acronis

From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware

Sometime later, the Sinobi ransomware operation also appeared. INC's evolution therefore branches at this point: the original brand continues to operate while elements of its codebase propagate into adjacent operations.

May 11
Checkpoint Research

The State of Ransomware - Q1 2026 - Check Point Research

Sinobi dropped by 42%, from 139 victims to 80. After a strong January (56 victims), activity collapsed to just 7 victims in March.

Mar 16
Cyberscoop

The ransomware economy is shifting toward straight-up data extortion | CyberScoop

The most active ransomware brands last year included Qilin, Akira, Clop, Play, Safepay, Inc, Lynx, RansomHub, DragonForce and Sinobi.

Jan 27
Cybersecurity Dive

Interconnectedness, extortion risk make cybersecurity a healthcare C-suite priority | Cybersecurity Dive

Other groups also established dangerous reputations, including Sinobi, a new group focusing on biotechnology firms and other specialized health-care companies...

Jan 16
Hipaa Journal

Ransomware Attacks Increased by 58% in 2025

A relatively new ransomware group called Sinobi has conducted several attacks on healthcare organizations since it emerged in mid-2025.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.