Ransomware Group: SINOBI

VICTIM NAME: Naftali Group

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SINOBI Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On September 28, 2025, the Naftali Group—a United States-based private real estate development and investment firm headquartered in New York City and active in the construction sector—appears as the victim listed on a ransomware leak page attributed to the Sinobi group. The post frames the incident as a data-leak/exfiltration event rather than a conventional encryption attack and claims that sensitive corporate information was stolen from Naftali Group’s networks. It specifies data categories including financial data, contracts, and HR records and asserts that roughly 118 GB of data were exfiltrated. The page includes four screenshots of internal documents intended to corroborate the claim and indicates the presence of a ransom/claim URL for negotiations, though no explicit ransom amount is disclosed in the provided data.

In the leak page’s body excerpt, Naftali Group’s profile is presented to underscore the victim’s market footprint: the page describes a portfolio of more than 30 projects valued at over $9 billion. Four image attachments are shown as evidence of the leaked data, though the exact contents of the images are not described in this summary. The page also highlights the data categories (financial data, contracts, HR) and reiterates the claimed exfiltration size of 118 GB. A ransom/claim URL is advertised, but the dataset does not reveal a specific ransom amount. The post appears to follow a standard ransomware leak format, with evidence linked to onion-hosted image downloads and a posted date aligned with 28/09/2025, reinforcing the impression of a data-leak scenario rather than encrypted assets.