VIBE-CODED 'Sicarii' ransomware, which entered the scene last year, is described as having poorly designed code and a possible false flag identity centred on Hebrew branding. According to Halcyon, Sicarii appeared as a ransomware-as-a-service offering last month, with operators advertising it on underground cybercrime forums.
Halcyon notes that during execution the malware regenerates a new RSA key pair locally and then discards the private key, meaning encryption isn’t tied to a recoverable master key and decryptors provided by attackers are ineffective.
Check Point Research (CPR), which covered the group earlier in January, said Sicarii brands itself as Israeli/Jewish but that the malware’s online activity is mainly in Russian and that the Hebrew content may be machine-translated, raising questions about the authenticity of the claimed identity.
CPR also cited that as of 14 January an operator claiming to be the ransomware’s communications lead said Sicarii had compromised three to six victims, all of whom had paid the ransom, though the reliability of these claims is uncertain. Halcyon’s alert also highlights AI-assisted tooling as a possible contributor to the flaw, and researchers emphasise that decryption after payment remains unreliable. Victims are urged to exercise caution before paying, and to shift to restoration through backups and incident response if necessary.