Cybercriminals Utilize Stolen SSL VPN Credentials from Third-Party SonicWall for Sinobi Ransomware Deployment
In a recent cybersecurity incident, a ransomware attack known as Sinobi targeted several organizations in 2025. The attack was facilitated through compromised third-party managed service provider credentials.
The Sinobi ransomware, a sophisticated piece of malware, creates encrypted files with the .SINOBI extension and deploys ransom notes containing Tor-based communication channels and payment instructions. The malware's technical sophistication is evident through its systematic approach to disabling security controls and maximizing encryption impact.
Upon gaining access, the threat actors attempted to uninstall Carbon Black EDR using Revo Uninstaller and command-line operations. They also successfully uninstalled the security tool after discovering deregistration codes stored on mapped network drives. This incident underscores the critical importance of avoiding the storage of security tool deregistration codes in accessible network locations.
The malware generates unique encryption keys for each file using the CryptGenRandom function and employs Curve-25519 Donna and AES-128-CTR encryption for robust cryptographic implementation. Data exfiltration occurs through RClone, a legitimate cloud transfer utility, to servers operated by Global Connectivity Solutions LLP.
The Sinobi Group, operating as a Ransomware-as-a-Service (RaaS) affiliate, infiltrated corporate networks by exploiting SonicWall SSL VPN credentials. Once inside, the attackers established persistence by creating new administrator accounts and executing lateral movement across the compromised infrastructure.
eSentire analysts identified significant code overlaps between Sinobi and the previously known Lynx ransomware, suggesting a possible connection between the two. However, there are no relevant search results available that provide information about "salfetka," the Lynx ransomware operating system, or the connection with the ransomware-as-a-service provider Sinobi.
The ransom notes demand victims negotiate within seven days to prevent data publication on dark web leak sites. It is essential to note that paying the ransom does not guarantee the recovery of data and may encourage further cybercrime activities.
This attack highlights the importance of implementing strict privilege management for remote access accounts and the significance of securely storing security tool deregistration codes. Organizations must remain vigilant and proactive in their cybersecurity measures to protect against such threats.
