Sinobi
Sinobi is a ransomware operation that emerged in mid-2025 and is widely assessed as a rebrand of, or very close relative to, the Lynx ransomware ecosystem, with broader lineage tied to the 2024 underground sale of INC ransomware source code.
Profile source: Mallory opens in a new tabSinobi
Family profile
Sinobi is a ransomware operation that emerged in mid-2025 and is widely assessed as a rebrand of, or very close relative to, the Lynx ransomware ecosystem, with broader lineage tied to the 2024 underground sale of INC ransomware source code. Code and tradecraft overlap reported among INC, Lynx, and Sinobi indicate that Sinobi belongs to the same evolving criminal cluster rather than an entirely distinct lineage.
Sinobi is used in double-extortion attacks, stealing data prior to encryption and then pressuring victims through extortion. Reported cryptographic implementation includes Curve25519 with AES-128-CTR, and encrypted files have been associated with a distinctive Sinobi-branded extension. The operation has been observed targeting Windows environments and is also linked through lineage reporting to Linux and ESXi-capable ransomware development inherited from the INC codebase, although direct Sinobi-specific cross-platform deployment details are less consistently documented.
Initial access associated with Sinobi includes credentials obtained through initial access broker activity, phishing, and exploitation of exposed edge infrastructure such as VPN, Citrix, Fortinet, and SonicWall appliances. One reporting stream specifically linked Sinobi deployment to compromised SonicWall VPN access. Victim access has also been obtained through compromised third-party provider credentials. Sector reporting shows notable activity against healthcare, biotechnology, specialized healthcare companies, manufacturing, construction, telecommunications, and other industrial organizations, with multiple references to healthcare-focused operations in 2025. Public victim-count reporting indicates Sinobi became one of the more active ransomware brands during late 2025, though activity levels fluctuated sharply over time.
Sinobi is best understood as part of the broader post-INC fragmentation of the ransomware ecosystem, where leaked or sold source code, affiliate migration, and rebranding have complicated attribution. Its operational profile aligns with modern ransomware crews that combine credential-driven intrusion, exploitation of perimeter appliances, data theft, and encryption-based extortion against enterprises with low tolerance for downtime.
Capabilities
- Credential Theft
- Exfiltration
- Extortion
- Initial Access
Ransomware.live
Operational record
Exploited software
Vulnerabilities linked to Sinobi
3 CVEsMITRE ATT&CK
Sinobi in ATT&CK
25 distinct techniquesReporting
Research mentioning Sinobi
US sanctions First VPN and administrator for supporting ransomware | CyberScoop
TRM Labs said it has seen 1VPNS selling its services to ransomware operators for prices ranging from $723 for Anubis to $58 Sinobi.
INC Ransomware Targets Mainframes
The group claimed nearly 1,000 victims since its inception, and in 2024, the source code for both the Windows and Linux/ESXi encryptors were sold on underground forums. That sale gave rise to at least two families, Lynx and Sinobi, and introduced an attribution complexity that persist today.
INC Ransomware Climbs Into Top Tier of Cybercrime Operations, Surpasses 830 Victims - CySecurity News - Latest Information Security and Hacking Incidents
Acronis noted that the sale of INC's Windows and Linux ransomware variants on underground cybercrime forums in May 2024 contributed to the appearance of related ransomware families, including Lynx and Sinobi.
From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware
Sometime later, the Sinobi ransomware operation also appeared. INC's evolution therefore branches at this point: the original brand continues to operate while elements of its codebase propagate into adjacent operations.
The State of Ransomware - Q1 2026 - Check Point Research
Sinobi dropped by 42%, from 139 victims to 80. After a strong January (56 victims), activity collapsed to just 7 victims in March.
The ransomware economy is shifting toward straight-up data extortion | CyberScoop
The most active ransomware brands last year included Qilin, Akira, Clop, Play, Safepay, Inc, Lynx, RansomHub, DragonForce and Sinobi.
Interconnectedness, extortion risk make cybersecurity a healthcare C-suite priority | Cybersecurity Dive
Other groups also established dangerous reputations, including Sinobi, a new group focusing on biotechnology firms and other specialized health-care companies...
Ransomware Attacks Increased by 58% in 2025
A relatively new ransomware group called Sinobi has conducted several attacks on healthcare organizations since it emerged in mid-2025.