Sinobi Ransomware Hits 215 Victims in Six Months

Sinobi ransomware has emerged as one of the most active ransomware operations of early 2026, growing from 40 victims in September 2025 to over 215 by January 2026. AttackIQ published research this week detailing the group's tactics, confirming technical and infrastructural overlaps that tie Sinobi to the Lynx and INC ransomware families.

The name—derived from "shinobi," Japanese for ninja—reflects the group's emphasis on stealth and controlled execution. Unlike noisy operations that spray attacks broadly, Sinobi appears to carefully select targets where downtime or data loss carries significant business consequences.

Relationship to Lynx and INC

Security researchers have identified strong evidence that Sinobi is a direct rebrand or successor of Lynx ransomware, which itself inherited code from the earlier INC ransomware family. This lineage matters because it means Sinobi operators likely have years of experience and established relationships with initial access brokers.

The rapid rebranding cycle we're seeing across ransomware operations—Qilin's recent German attack, Akira's continued evolution, and now Sinobi's rise—suggests operators are adapting quickly to law enforcement pressure by shedding brands while retaining technical capabilities.

Targeting Profile

Sinobi focuses on midsize organizations with annual revenues between $10 million and $50 million. The vast majority of known victims are in the United States, concentrated in sectors where operational downtime is particularly painful:

• Manufacturing
• Construction
• Healthcare
• Finance
• Education

This targeting isn't accidental. These sectors often have legacy systems, lower security maturity relative to enterprise organizations, and strong incentives to pay quickly to restore operations.

Technical Capabilities

The ransomware implements a hybrid cryptographic scheme:

• Curve25519 Donna for key protection
• AES-128 in CTR mode for fast, scalable file encryption

This combination provides strong asymmetric protection for the encryption keys while allowing rapid encryption of large file volumes—essential for maximizing damage before detection.

Sinobi operates a closed, hybrid Ransomware-as-a-Service model. A core team manages the malware, infrastructure, and payment/negotiation systems while a small number of trusted affiliates carry out intrusions. This controlled approach limits exposure compared to open RaaS platforms where anyone can sign up.

Why the Growth Matters

Going from 40 to 215 victims in four months represents explosive growth. The group now ranks among the four most active ransomware operators alongside Lynx, Qilin, and Akira at the start of 2026.

Several factors likely contribute:

1. Experienced operators with established TTP refinement from previous operations
2. Midmarket focus where security resources are stretched thin
3. Double extortion baseline that's now expected across all serious ransomware operations
4. Credential-based intrusion chains leveraging the flood of infostealer data available on dark web markets

For organizations in Sinobi's target profile, the defensive priorities remain consistent: patch exposed services, implement MFA everywhere, monitor for lateral movement, and maintain tested offline backups. Our ransomware guide covers the fundamentals.

What Defenders Should Know

AttackIQ released an attack graph modeling Sinobi's known behaviors that can be used for detection engineering and red team exercises. Organizations in targeted sectors should specifically watch for:

• Credential dumping consistent with Lynx/INC techniques
• Cross-platform encryption attempts
• Data staging prior to encryption (the exfiltration component of double extortion)
• Communication with infrastructure historically associated with Lynx operations

The Lynx-to-Sinobi rebrand is a reminder that taking down a ransomware brand doesn't eliminate the people behind it. The operators simply spin up new infrastructure and continue under a different name, often within weeks.