Full Report
Key findings Introduction In December 2025, a previously unknown Ransomware-as-a-Service (RaaS) operation calling itself Sicarii began advertising its services across multiple underground platforms. The group’s name references the Sicarii, a 1st-century Jewish assassins group that opposed Roman rule in Judea. From its initial appearance, the Sicarii ransomware group distinguished itself through unusually explicit and persistent use of Israeli […] The post Sicarii Ransomware: Truth vs Myth appeared first on Check Point Research.
Analysis Summary
# Threat Actor: Sicarii
## Attribution & Identity
* **Actor Name:** Sicarii
* **Aliases:** None mentioned.
* **Known Associations:** Claims affiliation with Israeli/Jewish identity and the historical paramilitary organization *Haganah*.
* **Identity Analysis:** Attribution remains uncertain. While the group uses Hebrew branding and Jewish symbols, evidence suggests **identity manipulation or a false-flag operation**. Key indicators include:
* Primary underground activity is conducted in **Russian**.
* Hebrew content appears machine-translated or used by non-native speakers.
* Behavioral patterns diverge from established financially motivated groups toward influence-oriented signaling.
## Activity Summary
* **Emergence:** First appeared in December 2025 as a Ransomware-as-a-Service (RaaS) operation.
* **Operations:** Advertising services on underground forums and recruiting affiliates. As of the report date, the group has only published one claimed victim.
* **Campaign Characteristics:** High-profile branding using ideological and nationalistic themes (The Sicarii Knife), differentiating itself from standard "quiet" RaaS operations.
## Tactics, Techniques & Procedures
* **Initial Access:** Likely purchasing access to targeted organizations rather than direct exploitation.
* **Anti-Analysis:** Performs virtualization detection; if a VM is detected, it displays a fake error message: `"DirectX failed to initialize memory during runtime, exiting"`.
* **Execution Control:** Uses a Mutex to ensure single-instance execution.
* **Geo-fencing:** Actively checks for Israeli systems and aborts execution if found, a move to reinforce their claimed Israeli identity.
* **Exploitation:** Includes modules for vulnerability exploitation specifically targeting **Fortinet** devices.
* **Data Exfiltration:** Capable of stealing system credentials, network information, and sensitive files before encryption.
* **Encryption:** Uses **AES-GCM** for file encryption and appends the **.sicarii** extension to affected files.
## Targeting
* **Sectors:** Generally opportunistic; however, the group offers financial incentives for attacks directed at **Arab or Muslim states**.
* **Geography:** Global, with a strictly excluded target: **Israel** (via geo-fencing logic).
* **Victims:** Only one claimed victim published as of early 2026 (specific name not provided in text).
## Tools & Infrastructure
* **Malware:** Sicarii Ransomware (custom AES-GCM builder).
* **Infrastructure:**
* Underground platforms for recruitment (Russian-speaking forums).
* C2/Leak Site presence (implied by the publication of victims).
* **Defanged Indicators of Interest:**
* SHA256: `5a0011a100e11594e7d64461c1d5024c6f46b6a4d6398dc8bf8495b0`
* SHA256: `4b8eca4bf33e13a680ef30b9295cce5a7f5de3b7f5f8771ab206572488d3d9f4`
* SHA256: `d99ded48868d2961dcae6b4c63d1b74395aeb440232cf44828e3e2bf31c06418`
## Implications
The group represents a blurring of lines between traditional cybercrime and influence operations. By adopting a controversial ideological identity, they may be attempting to stoke geopolitical tensions or deflect attribution. The technical inclusion of Fortinet exploitation indicates a level of sophistication in their automated toolset despite their low victim count.
## Mitigations
* **Vulnerability Management:** Prioritize patching of **Fortinet** networking equipment.
* **Endpoint Defense:** Ensure EDR solutions are configured to detect AES-GCM encryption patterns and unexpected Mutex creations.
* **Credential Protection:** Implement Multi-Factor Authentication (MFA) to mitigate the impact of the group's credential harvesting capabilities.
* **Access Monitoring:** Monitor for initial access brokers and unusual RDP/VPN logins, as the group likely buys existing access.