How Sinobi Ransomware Encrypts Files and Destroys Backups

Summary

Sinobi is a ransomware-as-a-service strain, likely a rebranded version of Lynx ransomware, first observed in July 2025. It uses Curve25519 together with AES-128-CTR for file encryption and applies advanced backup destruction techniques, including abuse of DeviceIoControl to remove Volume Shadow Copies. The malware also empties the Recycle Bin and leverages the Restart Manager API to close processes that keep target files open.

Investigation

The investigation described an intrusion in which an affiliate used stolen credentials from a third-party managed service provider to access a SonicWall SSL VPN. After gaining entry, the attacker escalated privileges by creating a local and domain administrator account named Assistance. The operator then disabled security services by changing binary paths and used RClone to exfiltrate data before launching encryption.

Mitigation

Defenders should secure VPN infrastructure with multi-factor authentication and closely review third-party MSP access. Organizations should also monitor for unauthorized creation of administrative accounts and suspicious service configuration changes, especially altered binary paths. Protecting Volume Shadow Copies and detecting misuse of the Restart Manager API can also help interrupt the ransomware chain.

Response

If Sinobi activity is detected, responders should immediately isolate compromised accounts, especially privileged accounts such as Assistance. Unauthorized RClone processes should be terminated, and all service changes in the Windows Service Control Manager should be investigated. Offline backups should be verified and prepared for recovery, since Sinobi is designed to destroy online shadow copies and Recycle Bin contents.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands: The adversary has gained initial access and is now executing the ransomware payload. To maximize impact and demand, the adversary’s goal is to encrypt user documents and leave instructions. The script will simulate this by: 1) Creating a dummy document, 2) “Encrypting” it by renaming it to document.pdf.SINOBI, 3) Writing a ransom note named README.txt, and 4) Writing a file containing the specific metadata curve25519_pubkey to simulate the ransomware’s encryption footer.

• Regression Test Script:

  # Sinobi Ransomware Simulation Script
  $targetDir = "$env:USERPROFILEDesktopSinobi_Sim"
  if (!(Test-Path $targetDir)) { New-Item -Path $targetDir -ItemType Directory }
  
  Write-Host "[+] Simulating file encryption..."
  $originalFile = "$targetDirimportant_data.pdf"
  "Sensitive Data Content" | Out-File -FilePath $originalFile
  
  # Trigger selection_ext and selection_ransom
  Rename-Item -Path $originalFile -NewName "important_data.pdf.SINOBI"
  "YOUR FILES ARE ENCRYPTED! PAY BITCOIN TO..." | Out-File -FilePath "$targetDirREADME.txt"
  
  Write-Host "[+] Simulating encryption metadata (selection_footer)..."
  # Trigger selection_footer
  $metadataFile = "$targetDirmetadata.dat"
  "Encryption_mode: AES256; curve25519_pubkey: 0xABC123" | Out-File -FilePath $metadataFile
  
  Write-Host "[!] Simulation Complete. Check SIEM for alerts."

• Cleanup Commands:

  Remove-Item -Path "$env:USERPROFILEDesktopSinobi_Sim" -Recurse -Force
  Write-Host "[+] Cleanup complete."