Is This a Rebrand? New Sinobi Ransomware Group Shows Code Overlap with Lynx

Recently, eSentire’s Threat Response Unit (TRU) investigated a ransomware attack that it has attributed to an affiliate of the Sinobi Group. The case provides new insights into Sinobi’s technical sophistication and raises suspicions that the group may actually be a rebrand of Lynx, a Ransomware-as-a-Service (RaaS) operation first observed in 2024.

TRU notes that “due to significant code overlaps and other similarities in the ransomware binaries and data leak sites, Sinobi is suspected to be a rebrand of Lynx.” The report adds that, with medium confidence, Lynx likely purchased the INC Ransomware source code from a hacker using the handle “salfetka” (Russian for “napkin”), who had advertised it on Exploit/XSS forums.

The affiliate behind the August intrusion gained access by abusing compromised SonicWall SSL VPN credentials tied to an over-privileged Active Directory account. As TRU explains, “a Sinobi Group affiliate leveraged compromised third-party MSP SonicWall SSL VPN credentials that mapped to an over-privileged Active Directory account (domain administrator rights), enabling internal network access and direct RDP access to a file server.”

Once inside, the attackers created a new local administrator account, moved laterally, and targeted defenses. Notably, they attempted to remove Carbon Black EDR, succeeding after discovering deregistration information on the file server. They then exfiltrated data with RClone, transferring files to infrastructure hosted by Global Connectivity Solutions LLP, a provider eSentire has observed in other campaigns.

The final stage involved deploying Sinobi ransomware, which encrypted files across local and shared drives, leaving ransom notes and appending the .SINOBI extension.

Sinobi’s encryption routines demonstrate strong cryptographic engineering. According to TRU, “Sinobi ransomware uses Curve-25519 Donna + AES-128-CTR to encrypt files, making recovery impossible without the attacker’s Curve-25519 private key.” This is similar to Babuk ransomware’s method.

Other notable features include:

• Deletion of Recycle Bin files to prevent recovery.
• Enumeration of hidden drives/volumes to maximize damage.
• Shadow copy deletion via DeviceIOControl and IOCTL_VOLSNAP manipulation, a method first documented by Fortinet in 2020.
• Process killing (e.g., SQL, Veeam, backup, Exchange) to ensure encryption completes.

Each file is appended with a custom footer containing encryption metadata, a SHA512-derived key, and the “SINOBI” marker. TRU emphasizes that keys are generated securely via CryptGenRandom, reducing the chance of cryptographic flaws that defenders could exploit.

Victims found ransom notes titled README.txt in every encrypted directory, demanding payment under threat of dark web leaks. To reinforce the message, the ransomware also programmatically changed the victim’s desktop wallpaper to a ransom warning image.

To aid defenders, eSentire released a Python script that can validate ransomware ciphertexts that use the Curve-25519 + AES-128-CTR + SHA512 method. The script allows researchers to detect coding errors that could lead to decryptors for victims.

Related Posts:

• From Victim Profiles to Data Leaks: Inside the Lynx Ransomware-as-a-Service Ecosystem
• Silent Lynx APT Group: A New Espionage Threat Targeting Central Asia
• 20+ Victims and Counting: Lynx Ransomware’s Swift Rise
• Lynx Ransomware: The Evolution of INC Ransomware into a Potent Cyber Threat
• GLOBAL GROUP: New Ransomware Giant Emerges with AI Negotiators, Affiliate Incentives, and Industrial-Scale Attacks