Ransomware Group: SINOBI

VICTIM NAME: ECM Consultants

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SINOBI Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

ECM Consultants, a U.S.-based engineering, architectural, and construction management firm described as serving nationwide, is identified as the victim on a ransomware leak page. The post date is 13 August 2025. The leak page presents the incident as an encrypted event and signals a full data leak, which aligns with the double-extortion pattern commonly used by ransomware operators. A ransom figure is implied on the page, with a claimed demand of approximately $17.4 million USD tied to the encryption claim. The post carries a “Full data leak” title and is labeled as Confidential, indicating the attackers’ intention to publicly disclose the compromised data unless the victim pays. The description and context on the page emphasize data loss and encryption rather than a simple external breach, consistent with a data-leak scenario.

The leak page notes five image attachments, which appear to be screenshots of internal documents. These images are linked via Tor onion addresses, and the page does not provide a standard downloadable archive on-site. In addition to the image content, the page includes a claim URL reference, suggesting there is a mechanism for readers to engage with or verify the attackers’ claim. Personal or address-level identifiers are not disclosed in this summary to protect privacy. The page content is presented in English and centers on the label “Full data leak” with a Confidential classification, underscoring the attackers’ intent to disclose data publicly and pressure the victim to meet the ransom demand. Overall, the post signals encryption and data leakage as part of a broader extortion campaign against ECM Consultants.