Because Sinobi does not recruit like other RaaS groups, there’s no publicly available list of group rules, affiliate requirements, forbidden targets, or other operational details. This reduces the group’s exposure to law enforcement infiltration and limits available open-source intelligence (OSINT).
Researchers believe Sinobi’s core operators maintain the ransomware code and Tor-based infrastructure, conduct negotiations, manage the money laundering and ‘cashing out’ schemes, and enforce the rules of the group. Affiliates conduct the attacks from intrusion through ransomware deployment. This division of responsibilities is based on observed patterns in Sinobi operations, ransom notes, portal structures and negotiation processes. There is no public confirmation of this, and the revenue split between core members and affiliates is unknown.
Like most ransomware threats groups, Sinobi’s attack chain begins with getting initial access to the victim’s environment. The group has been observed using initial access brokers (IABs), phishing attacks via commodity phishing kits, and exploiting vulnerable VPNs, firewall appliances, or remote access systems such as Citrix or Fortinet. Sinobi will also use a compromised third-party and follow a supply chain to infiltrate a victim.
Sinobi operators follow a standard attack chain that shares many of the same patterns observed in RansomHub, ALPHV/BlackCat and other groups since the leak of Conti ransomware.
Once inside the system, Sinobi immediately begins a hands-on-keyboard intrusion that makes use of both custom tooling and living-off-the-land (LotL) abuse. Threat actors begin privilege escalation and security evasion activities, including creating new administrator accounts, adjusting permissions, and disabling endpoint security tools. They also begin establishing persistence by configuring legitimate remote access tools.
Sinobi then drops a lightweight reconnaissance script that automates lateral movement and conducts additional security evasion tasks. The script is configured to enumerate domain information, locate file shares, identify privileged accounts, and check for endpoint security solutions that could disrupt the ransomware attack.
Data exfiltration begins once the attacker has completed reconnaissance and configured Rclone, WinSCP, or some other file transfer tool. The data is sent to cloud storage or another offsite location, and the ransomware binary is executed when this is complete.
There’s no single filename used for the ransomware binary, but it’s usually a generic or obfuscated name like “bin.exe.” This file deletes the Recycle Bin, encrypts the files, appends the .SINOBI extension, and drops the ransom note README.txt into every directory with encrypted files. It then changes the desktop wallpaper to an image that displays the text of the ransom note.
