A sophisticated ransomware attack has emerged targeting organizations through compromised third-party managed service provider (MSP) credentials, showcasing the evolving tactics of cybercriminals in 2025.
The Sinobi Group, operating as a Ransomware-as-a-Service (RaaS) affiliate, successfully infiltrated corporate networks by exploiting SonicWall SSL VPN credentials mapped to over-privileged Active Directory accounts with domain administrator rights.
The attack campaign demonstrates a concerning trend where threat actors leverage trusted third-party relationships to gain initial network access, bypassing traditional perimeter defenses.
Once inside the network, the attackers established persistence by creating new administrator accounts and executing lateral movement across the compromised infrastructure, ultimately deploying the Sinobi ransomware payload across local and shared network drives.
eSentire analysts identified significant code overlaps between Sinobi and the previously known Lynx ransomware, suggesting that Sinobi represents a rebrand of the Lynx RaaS operation that first emerged in 2024.
The security researchers noted with medium confidence that the Lynx group likely purchased the INC Ransomware source code from a user named “salfetka” through underground hacking forums, indicating the commercialization of ransomware development tools.
.webp "Hackers Leverage Compromised Third-Party SonicWall SSL VPN Credentials to Deploy Sinobi Ransomware 3")
The malware’s technical sophistication becomes apparent through its systematic approach to disabling security controls and maximizing encryption impact.
Upon gaining access, the threat actors attempted to uninstall Carbon Black EDR using both Revo Uninstaller and command-line operations, eventually succeeding after discovering deregistration codes stored on mapped network drives.
Advanced Encryption and Data Exfiltration Mechanisms
The Sinobi ransomware employs a robust cryptographic implementation using Curve-25519 Donna combined with AES-128-CTR encryption, making file recovery impossible without the attacker’s private key.
The malware generates unique encryption keys for each file through the CryptGenRandom function, ensuring cryptographically secure key generation that eliminates potential decryption opportunities.
Prior to encryption, the ransomware systematically prepares the target environment by deleting volume shadow copies through a sophisticated technique utilizing DeviceIOControl with the IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE control code.
The malware executes the following command sequence:-
sc config cbdefense start= disabled
cmd /c sc config cbdefense binpath= "C:programdatabin.exe" & shutdown /r /t 0Data exfiltration occurs through RClone, a legitimate cloud transfer utility, directing stolen information to servers operated by Global Connectivity Solutions LLP, a hosting provider frequently observed in cyberattacks.
.webp "Hackers Leverage Compromised Third-Party SonicWall SSL VPN Credentials to Deploy Sinobi Ransomware 4")
The ransomware creates encrypted files with the .SINOBI extension and deploys README.txt ransom notes containing Tor-based communication channels and payment instructions, demanding victims negotiate within seven days to prevent data publication on dark web leak sites.
The attack underscores the critical importance of implementing strict privilege management for remote access accounts and avoiding storage of security tool deregistration codes in accessible network locations.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
