Threat Intelligence Report August 12 - August 18 2025

SINOBI Ransomware

SINOBI is a mid-2025 extortion outfit that operates primarily as a data-broker (steal-and-leak), while some reports also note an encrypting variant that drops a README.txt ransom note and may append .SINOBI to files. The crew runs multiple Tor leak and chat portals and occasionally uses clearnet “mirror” sites for victim onboarding, but their core infrastructure is Tor-only, so reliable public C2 IPs are uncommon. Targeting appears broad across sectors, with initial access likely via stolen credentials or phishing, followed by bulk collection, archiving, and exfiltration to their services before public shaming on the leak site. Detection tends to focus on .onion portal access, ransom-note artefacts, and unusual archiving/egress activity rather than fixed IPs.

Detailed TTPs & ATT&CK mappings

Initial Access

• Valid Accounts (T1078) – Assessed: Data-broker operations frequently originate from stolen credentials or IAB hand-offs; several affected org types (insurance, construction, education) match typical cred-abuse targeting
• Phishing (T1566) – Assessed: Common precursor to mailbox or VPN compromise; no SINOBI-specific phishing kit is public yet.

Discovery / Collection

• Email Collection (T1114) – Assessed: Victim sectors and extortion narratives suggest mailbox and file-share scraping pre-leak.
• Archive Collected Data (T1560.001) – Bundling data before transfer and proof-packs is standard; ransom notes reference negotiation portals post-collection.

Exfiltration

• Exfiltration Over Web Service (T1567) – Use of Tor file servers/DLS and occasional third-party shares during negotiations (pattern seen across brokers).
• Exfiltration Over C2 Channel (T1041) – Transfer to SINOBI-controlled .onion endpoints observed (DLS and possible file areas).

Command-and-Control / Comms

• Proxy/Anonymity Networks: Tor (T1090.003) – All public infra (DLS, login/chat) is Tor-only; no validated clearnet C2 IPs during the window.

Impact / Extortion

• Data Exposure & Coercion (TA0040 / T1657) – Primary effect is publication pressure via DLS; WatchGuard lists Direct/Double/Free leak modalities. Confidence: High. WatchGuard
• File Encryption (T1486) – Contested: Some reports on a malware called “Sinobi” show encryption (.SINOBI, README.txt) and Tor-chat negotiation; not consistently evidenced across Aug 11–17 postings.

MITRE ATT&CK matrix

IOCs

Leak/DLS onions (7)

sinobi6ftrg27d6g4sjdt65malds6cfptlnjyw52rskakqjda6uvb7yd.onion,
sinobi6rlec6f2bgn6rd72xo7hvds4a5ajiu2if4oub2sut7fg3gomqd.onion,
sinobi6ywgmmvg2gj2yygkb2hxbimaxpqkyk27wti5zjwhfcldhackid.onion,
sinobi7l3wet3uqn4cagjiessuomv75aw3bvgah4jpj43od7xndb7kad.onion,
sinobi7sukclb3ygtorysbtrodgdbnrmgbhov45rwzipubbzhiu5jvqd.onion,
sinobi23i75c3znmqqxxyuzqvhxnjsar7actgvc4nqeuhgcn5yvz3zqd.onion,
sinobia6mw6ht2wcdjphessyzpy7ph2y4dyqbd74bgobgju4ybytmkqd.onion.

Chat/negotiation onions (7)

sinobi7yuoppj76qnkwiobwfc2qve2xkv2ckvzyyjblwd7ucpptl62ad.onion/login,
sinobi57mfegeov2naiufkidlkpze263jtbldokimfjqmk2mye6s4yqd.onion/login,
sinobibdvzohujkliofkxiz3ueyedfh6bed2lzjz2z6pafw5jeoptsid.onion/login,
sinobibjqytwqxjw24zuerqcjyd3hoow6zia7z6kzvwawivamu7nqayd.onion/login,
sinobicrh73ongfuxjajmlyyhalvkhlcgttxkxaxz3gvsgdcgf76uiqd.onion/login,
sinobidxodgt4jsr3tlmf2rr4okjvvwfp5gh3lrqxnowomcx62ssrhqd.onion/login,
sinobiea4snfqtkc43paumapo4oi7vxcy5vjzfoalunsnvzehozfhpyd.onion/login

Clearnet mirrors:

blog.sinobi.us.org,
chat.sinobi.us.org,
cdn.sinobi.us.org.

Mitigation with CE 5.0

Email & Identity

• Enforce MFA on VPN/O365/SSO; monitor for unusual OAuth grants and inbox rule creation (T1078/T1114).
• Phishing controls & sandboxing for archive-type attachments; auto-quarantine suspicious ZIP/ISO/TAR.

Endpoint / EDR

• HIPS rules for mass archiving and Tor client execution; detect large file reads from shares followed by compression (T1560/T1567).
• If encryption behaviour is suspected at a site, enable canaries and file-rename heuristics (*.SINOBI).

Network / Proxy / DNS

• Block/alert on .onion in SNI/Host/URI and common tor2web domains (T1090.003, T1567).
• Restrict outbound to approved destinations; instrument UEBA for abnormally large egress.

Backups & DR

• Maintain immutable/offline backups; quarterly restore tests for high-value datasets.

Ransomware Victims Worldwide

The United States continues to dominate as the most heavily impacted country, reporting 56.48% of all global ransomware victims this week. This figure reaffirms its position as the top target for ransomware operators, largely due to its expansive digital infrastructure, higher ransom payment capabilities, and the large number of enterprises across critical industries.

Germany follows with 6.48%, reflecting its strong industrial and manufacturing base, which remains attractive to cybercriminals. The United Kingdom and Australia each account for 5.56%, underscoring their recurring exposure to ransomware incidents targeting sectors like finance, healthcare, and education.

Canada contributes 1.85% of total victims, similar to Poland’s 1.85%, indicating steady but moderate targeting. France and South Korea both stand at 2.78%, pointing to the continued pressure on European and Asian economies. Italy also registered 2.78%, reflecting ongoing attacks against its growing digital ecosystem.

Other notable entries include Turkey, The Netherlands, Brazil, Thailand, Belgium, Israel, and several smaller economies such as Luxembourg, Algeria, Morocco, and the United Arab Emirates, each reporting 0.93% of global cases. While individually minor, these incidents highlight the wide geographic spread of ransomware campaigns.

Overall, ransomware activity remains highly concentrated in Western economies but demonstrates persistent global reach, with incidents affecting North America, Europe, Asia, the Middle East, and Africa alike.