Executive Summary

A ransomware group identifying itself as 'sinobi' has conducted two separate, successful cyberattacks against Croft, a U.S. manufacturer, and CHANGEPOND, an Indian technology firm. Both incidents were discovered on November 19, 2025, indicating a coordinated campaign by the threat actor. While technical details of the attacks, including the initial access vector and specific ransom demands, have not been disclosed, the incidents demonstrate the group's ability to target disparate industries across different continents. This activity serves as a critical reminder for organizations of all sizes and sectors to maintain a vigilant security posture against the pervasive threat of ransomware.

Threat Overview

• Threat Actor: sinobi (a newly reported ransomware group)
• Victims:
  • CHANGEPOND: An enterprise software and digital solutions company based in Chennai, India.
  • Croft: A manufacturer of vinyl and aluminum windows and doors based in the United States.
• Timeline: Both attacks were discovered on November 19, 2025, in the evening hours.
• Attack Type: Ransomware. It is highly probable that this was a double-extortion attack involving both data encryption and data exfiltration, though this is not explicitly confirmed in the source material.

Technical Analysis

The source articles do not provide specific technical details or Indicators of Compromise (IOCs). However, based on typical ransomware attack patterns, the sinobi group likely employed a multi-stage attack chain.

Probable MITRE ATT&CK TTPs:

• Initial Access: Ransomware groups commonly gain initial access through methods like T1566 - Phishing, exploiting unpatched public-facing applications (T1190 - Exploit Public-Facing Application), or using stolen credentials (T1078 - Valid Accounts).
• Execution: Execution of the ransomware payload could involve T1059.001 - PowerShell or T1059.003 - Windows Command Shell for running malicious scripts.
• Persistence: The actors may have established persistence using techniques like T1547.001 - Registry Run Keys / Startup Folder or creating new services (T1543.003 - Create or Modify System Process: Windows Service).
• Credential Access: Tools like Mimikatz are often used for T1003 - OS Credential Dumping.
• Lateral Movement: Attackers likely moved through the network using protocols like RDP (T1021.001 - Remote Desktop Protocol) or SMB (T1021.002 - SMB/Windows Admin Shares).
• Impact: The final stage involves T1486 - Data Encrypted for Impact to encrypt files and T1041 - Exfiltrate Data Over C2 Channel to steal data for double extortion.

Impact Assessment

• CHANGEPOND (Technology Sector): An attack on a software company could lead to the theft of source code, customer data, and other intellectual property. This could disrupt their service delivery and damage their reputation as a trusted technology partner.
• Croft (Manufacturing Sector): A ransomware attack in a manufacturing environment can halt production lines, disrupt supply chains, and delay customer orders, leading to significant financial losses. The theft of sensitive business data, such as designs, pricing, and customer lists, poses a long-term competitive risk.

For both companies, the attack likely resulted in significant business disruption, financial costs associated with recovery and remediation, and potential regulatory fines if sensitive personal data was compromised.

IOCs

No specific Indicators of Compromise (IOCs) were provided in the source articles.

Detection & Response

• Monitor for Phishing: Since phishing is a primary vector, security teams should use email security gateways to filter malicious emails and monitor for users clicking on suspicious links or downloading untrusted attachments. This relates to D3FEND's URL Analysis (D3-UA).
• Network Segmentation: Monitor for unusual traffic patterns between network segments. A workstation should not be communicating with a server using RDP unless explicitly authorized. This is a key part of Network Traffic Analysis (D3-NTA).
• Endpoint Monitoring: Deploy EDR solutions to detect common ransomware behaviors, such as rapid file modification/encryption, deletion of volume shadow copies (vssadmin.exe delete shadows), and disabling of security tools.
• Active Directory Monitoring: Monitor for signs of credential abuse, such as Kerberoasting attacks (Event ID 4769 with unusual service names) or DCSync attacks.

Mitigation

• Security Awareness Training: Implement ongoing user training (M1017 - User Training) to help employees recognize and report phishing attempts.
• Backup and Recovery: Maintain regular, offline, and immutable backups of critical data. Test recovery procedures frequently to ensure they are effective in a real incident.
• Patch Management: Aggressively patch internet-facing systems and critical software to close vulnerabilities that ransomware groups exploit for initial access (M1051 - Update Software).
• Network Segmentation: Implement network segmentation (M1030 - Network Segmentation) to limit the blast radius of a ransomware attack and prevent lateral movement.