In July 2025, MOXFIVE encountered a new ransomware operation called Sinobi, which first entered the threat landscape in late June. There are clear similarities between the Sinobi data leak site and that of the Lynx ransomware-as-a-service (RaaS). Additional infrastructure overlap between the two variants suggests a possible rebrand.

Since its emergence, Sinobi has impacted approximately 40 victims as of September 2025, most of them in the United States. The threat actors deploying the ransomware employ double extortion tactics to create leverage, exfiltrating stolen data before encrypting systems. The encrypted files are typically appended with “.SINOBI,” and a README.txt ransom note is left behind.

While victims span multiple sectors, a majority of the impact has been amongst organizations in manufacturing and production. The following sections provide additional context based on MOXFIVE’s experience and other campaigns involving Sinobi activity and tactics.

Figure 1: Sinobi data leak site.

Key Highlights

Industry Insights: Since the first appearance of Sinobi, threat actors deploying the ransomware have mostly impacted organizations where operational downtime can significantly affect revenue and exposure of sensitive data can bring regulatory pressure. Manufacturing and production were impacted the most, followed by construction and engineering. The financial, healthcare, and education sectors were the next most impacted industries.

Global Insights: This ransomware has made a strong impact in the United States, with additional activity observed across multiple regions. Countries impacted include Australia, Taiwan, the United Kingdom, and Israel. Although activity was present in other countries, it was minimal by comparison.

Initial Access: Threat actors deploying Sinobi have relied on remote access pathways to establish footholds in victim environments. Incidents show credential abuse against VPN portals, use of over-privileged third-party accounts, and exploitation of public-facing applications and services.

• ‍Valid Credentials: Authentication to VPN portals using stolen or reused credentials, including high-privilege accounts, to gain initial access.
• Abuse of Third-Party Access: Managed service provider or partner accounts with excessive privileges leveraged as the first entry point before lateral movement.
• ‍Exploitation of Public-Facing Applications: Vulnerabilities in internet-facing gsteways and services leveraged to bypass authentication and directly compromise victim infrastructure.

Notable Leveraged Exploit(s):

• SonicWall SonicOS (CVE-2024-40766): This vulnerability was disclosed and patched in August 2024 and has been actively exploited by multiple ransomware groups, including Sinobi. It is an improper access control issue in the SonicOS management and SSL VPN paths that can permit unauthorized access and, in some cases, device crashes. For additional background and remediation details, see MOXFIVE’s vulnerability alert on CVE-2024-40766.
• SonicWall SonicOS SSL VPN (CVE-2024-53704): An authentication bypass in the SSL VPN mechanism that allows remote access without valid credentials. More information can be found from SonicWall’s report here.

Encryption and Exfiltration: Sinobi uses a double-extortion model. In most cases, the threat actors’ stage and exfiltrate data before impact, then encrypt files and leave a ransom note to drive negotiations. Observed activity includes data movement with Rclone to external infrastructure, followed by file encryption that appends the .SINOBI extension and a ransom note named README.txt with Tor negotiation links and a payment deadline, usually about one week.

Tooling and Execution: Threat actors deploying Sinobi favor a light footprint and tools that resemble routine administration. Access is maintained, movement progresses to file servers, data is taken, and encryption applies pressure.

• Execution: Commands and simple scripts run from the Windows command line to stage activity across file servers and shared drives.
• Persistence and Defense Evasion: New local administrator accounts maintain access, while endpoint protection is disabled or removed to reduce visibility and slow response.
• Credential Access: Previously obtained usernames and passwords are reused to extend reach after the initial login.
• Discovery: Built-in utilities enumerate shares, surface high-value data, and map paths for staging.
• Lateral Movement: Remote Desktop Protocol (RDP) is used to reach key servers ahead of exfiltration and impact.
• Collection and Exfiltration: Files are encrypted, the “.SINOBI” extension is applied, and a README.txt note is left to initiate negotiations.

MOXFIVE has been tracking the Sinobi threat actor group since being involved in some of the first appearances of this group back in July 2025. We are continuing to track the group's evolving tradecraft to stay proactive and better support organizations with this threat.

If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.