Sicarii Ransomware: Truth vs Myth

Key findings

• Sicarii is a newly observed RaaS operation that surfaced in late 2025 and has only published 1 claimed victim.
• The group explicitly brands itself as Israeli/Jewish, using Hebrew language, historical symbols, and extremist right-wing ideological references not usually seen in financially-motivated ransomware operations.
• Underground online activity associated with Sicarii is primarily conducted in Russian, including RaaS recruitment posts and forum engagement.
• Hebrew content used by the group appears to be machine-translated or non-native and contains grammatical and semantic errors.
• The group’s behavior and messaging diverge from established ransomware practices and raise the possibility of identity manipulation or influence-oriented signaling, rather than a real and mature criminal operation.
• The ransomware performs an active geo-fencing check to prevent execution on Israeli systems, an unusual design choice that weakens plausible deniability.
• The ransomware’s technical capabilities include data exfiltration, collecting system credentials and network information, check exploitation for Fortinet devices, and encrypt files using AES-GCM and the .sicarii extension.

Introduction

In December 2025, a previously unknown Ransomware-as-a-Service (RaaS) operation calling itself Sicarii began advertising its services across multiple underground platforms. The group’s name references the Sicarii, a 1st-century Jewish assassins group that opposed Roman rule in Judea. From its initial appearance, the Sicarii ransomware group distinguished itself through unusually explicit and persistent use of Israeli and Jewish symbolism in its branding, communications, and malware logic.

Figure 1 – Sicarii Ransomware logo featuring the phrase “The Sicarii Knife” in Hebrew text with the symbol of the Haganah (predecessor to the Israel Defense Forces).

Unlike most financially-motivated ransomware groups, Sicarii overtly claims Israeli or Jewish affiliation. Its visual branding incorporates Hebrew text and the emblem of the historical Jewish paramilitary organization Haganah, while its ransomware selectively avoids executing on systems identified as Israeli. The group further claims ideological motivation rooted in extremist Jewish groups, while simultaneously marketing the operation as profit-driven and offering financial incentives for attacks against Arab or Muslim states.

In this report, Check Point Research (CPR) examines Sicarii’s background and capabilities, outlines its technical characteristics, and highlights a series of anomalies and inconsistencies that complicate attribution and clear understanding who is behind this group. These indicators raise questions regarding the authenticity of the group’s claimed identity and suggest the possibility of performative or false-flag behavior rather than genuine national or ideological alignment.

Technical analysis

While the exact initial access path is still unclear, communications with the group suggest the operator is likely purchasing access to the targeted organizations and not necessarily exploiting them directly.

The ransomware execution begins with an Anti-VM phase that tries to determine whether the malware is running in a real victim environment or inside a sandbox. It performs several environment checks, including virtualization detection. If it concludes it is executing inside a VM, it stops early and displays a decoy MessageBox error: "DirectX failed to initialize memory during runtime, exiting". Next, it enforces single-instance execution by creating a mutex and exiting if the mutex already exists. The ransomware then copies itself to the Temp directory with a random name in the format svchost_{random}.exe

The ransomware tests for Internet connection by attempting to contact the following url 120 times: google.com/generate_204

After checking connectivity, the ransomware determines if the victim is Israeli by checking:

• Is the time zone set to Israel
• Does the keyboard layout include Hebrew
• Do any adapter IPs belongs to Israeli subnets

After establishing its execution context, the ransomware disables SafeBoot options and initiates broad collection of high-value data and files with predefined extensions list from Documents\Downloads\Desktop\VIdeos\Pictures\Music. While this activity supports double extortion, the harvested information may also be leveraged for lateral movement or follow-up attacks. The malware collects registry hives, system credentials, browser data, and some application data from platforms including Discord, Slack, Roblox, Telegram, Office, WhatsApp, Atomic Wallet and more. In addition, it attempts to dump LSASS to obtain further credentials. All collected data is packaged into a ZIP archive named collected_data.zip and exfiltrated to an external service via file.io.

Next, the malware performs network reconnaissance to better understand the victim’s environment. The malware enumerates the local network configuration, maps nearby hosts via ARP requests, and actively probes discovered systems. As part of this process, it scans for exposed RDP services and attempts to exploit Fortinet devices using CVE-2025-64446.

To maintain persistence, the malware uses several different mechanisms, favoring redundancy:

• Registry Run key
• Creating a service named WinDefender
• Creating a new user SysAdmin with password Password123!
• Creating a new AWS user, without any check if AWS is installed:

Next, the malware checks if AV and VPN products are running. If so, it terminates their processes and sends to the C2 server the link to file.io which contains exfiltrated data file and victim information:

Finally, after finishing reconnaissance, privilege handling, and data collection stages, the ransomware moves into the main impact phase: encryption. It iterates through common user directories such as Documents, Desktop, Music, Downloads, Pictures and Videos, and encrypts files in place using the BCryptEncrypt API. The .sicarii extension is appended to each encrypted file name:

• The algorithm used is AES-GCM (256-bit key) via BCryptOpenAlgorithmProvider("AES", ..., "ChainingModeGCM").
• A unique random AES key is used for each file and the encryption parameters (nonce and tag) are stored in an XOR-0xAA-encoded header.
• The encrypted file is named <original_name>.sicarii and contains only a custom header plus ciphertext.
• The original unencrypted file is deleted.

The ransomware drops its ransom note:

As a final pressure mechanism, the malware deploys a destructive component intended to hinder system recovery and prolong operational downtime. The ransomware drops a destruct.bat script and registers it to execute at system startup. When triggered, the script corrupts critical bootloader files, leverages built-in Windows utilities such as cipher and diskpart to perform disk-wiping operations, and ultimately forces an immediate system shutdown.

Intelligence Findings & Anomalies

Telegram Presence

The primary Sicarii operator uses the Telegram account @Skibcum, operating under the display name “Threat.” According to our analysis, the account was registered in November 2025, shortly before Sicarii’s initial appearance in underground forums and RaaS advertisements. This timing aligns closely with the group’s emergence and suggests the account was created specifically for this operation rather than part of a long-standing criminal persona.

The account’s profile image features a repurposed internet meme containing the phrase “Smile is a mitzvah” (the word “mitzvah” in Hebrew means “good deed”) alongside iconography associated with the banned Israeli extremist Kach organization.

The account is active in several Telegram group chats associated with underground communities. These include Russian-language informal hacker and meme-oriented channels where the operator participates in casual conversation, exchanges stickers and GIFs, as well as chats unrelated to operational activity. The tone in public group chats is informal and at times impulsive, standing in contrast to the more deliberate and controlled tone adopted in private communications.

In all these communications, the operator demonstrates comfortable fluency in English and Russian, using colloquial phrasing, slang, and emotionally expressive language consistent with native or near-native proficiency. No comparable fluency is observed in the Hebrew language in any setting.

Direct Messaging and Signaling Behavior

In private communications, the operator posed as Sicarii’s communications lead and made several self-reported operational claims:

• Victim Activity: Claimed that Sicarii compromised 3–6 victims within approximately one month, all of whom paid the ransom.
• Targeting Strategy: Stated that the group focuses on small businesses, intentionally avoiding large enterprises and government entities to reduce scrutiny and pressure.
• Negotiation Practices: Acknowledged routine negotiation and cited a single case in which a ransom demand was reduced to approximately USD 10,000 for an incident involving around five endpoints.
• Comparative Positioning: Repeatedly compared Sicarii to established Russian ransomware groups such as LockBit and Qilin, while emphasizing that Sicarii is intentionally maintaining a lower profile “for now.”

On January 5, 2026, Sicarii published its first publicly listed victim, a Greece-based manufacturer. Shortly thereafter, Sicarii advertised downloadable exfiltrated data hosted on a public file-sharing service, but the file download links quickly expired. The operator described this victim as “just a test,” despite earlier assertions that multiple successful extortion cases had already occurred. This reframing introduces an internal inconsistency between prior claims of operational success and the treatment of the first disclosed victim.

Ideological Claims vs. Financial Motivation

Sicarii simultaneously frames itself as a profit-driven RaaS platform and an ideologically motivated actor inspired by extremist Jewish figures. Multiple conversations and advertisements emphasize that Sicarii prioritizes attacks against Arab or Muslim targets and explicitly volunteer “insider information” about their intention to next target a Saudi Arabian entity.

This duality is inconsistent with observed ransomware ecosystems, where ideological messaging is typically minimized to avoid limiting affiliate recruitment and operational reach. The selective invocation of ideology, particularly when paired with commercial incentives, appears performative rather than doctrinal.

Performative Israeli Identity and Linguistic Inconsistencies

Although Sicarii group members present themselves as Israeli or Jewish, their use of Hebrew strongly suggests non-native language skills. Hebrew content on the group’s shame site contains misspellings, awkward phrasing, and literal translations of English idioms that do not exist in Hebrew. In private communications, the Telegram user claimed to personally handle only “frontend and communications,” while asserting other operators are Israeli and responsible for ransomware development and initial access operations. Using the same Telegram profile, the actor quickly reemerged as “Isaac” while producing Hebrew that appears to be machine-translated English and insisting they are Hebrew speakers even when challenged.

In contrast, Sicarii’s activity on underground forums and Telegram channels is conducted fluently in Russian and English, including structured RaaS advertisements and informal interactions. This linguistic asymmetry indicates that English or Russian is actually the operator’s primary language.

Behavioral Indicators and OpSec Observations

The operator’s Telegram behavior displays several notable characteristics:

• Low operational discipline, such as openly requesting “ransomware APKs” in public group chats rather than sourcing such information privately.
• Identity play and inconsistency, including shifting self-descriptions and performative signaling toward ideological alignment without a clear strategic purpose.

This reinforces the impression of a relatively inexperienced actor navigating established underground ecosystems rather than a seasoned participant.

Visual Branding and Subcultural Overlap Image

The Telegram operator’s profile image and shared graphics reuse a modified internet meme featuring the phrase “Smile is a mitzvah” alongside symbols associated with the banned Israeli extremist organization Kach. The only variant of this image was identified within a looksmax forum, an online male-dominated subculture often characterized by extreme racism, misogyny, and anti-Semitic discourse.

The limited circulation of this image suggests it’s not a mainstream ideological representation. The forum user who shared this picture said he was a 15-year-old boy and participated in anti-Semitic forum threads.

VirusTotal Activity – Uploading Your Own Source Code & Terrorist Images

The majority of Sicarii-associated samples were submitted to VirusTotal by a single community account which uploaded approximately 250 files over the past several months. Most submissions correspond to apparent variants or loaders associated with the Sicarii ransomware.

Notably, the ransomware binaries were frequently uploaded under the generic filename Project3.exe, a naming convention consistent with testing, staging, or iterative development rather than finalized deployment artifacts.

In addition to compiled ransomware samples, the same VirusTotal account uploaded a source code file titled ransomawre.cs on October 25, 2025, predating Sicarii’s public emergence. This source code referenced the same Tor infrastructure later used by the Sicarii ransomware, suggesting early development or experimentation prior to operational deployment.

In addition to malware-related submissions, the same account also uploaded:

• Unrelated suspicious files
• Malware report-style documents
• An image of Meir Kahane, founder of the extremist Kach organization

The convergence of ransomware testing artifacts, early-stage source code, and extremist ideological imagery within a single VirusTotal account is atypical for mature ransomware operations. Instead of reflecting a compartmentalized development pipeline or affiliate-driven ecosystem, this activity suggests personal experimentation or centralized control, reinforcing the impression of limited operational experience and informal tradecraft.

Explicit National Signaling and Deviation from Ransomware Norms

Established ransomware groups, particularly those operating from Russia or Eastern Europe, typically avoid overt national or ideological signaling to preserve plausible deniability and reduce geopolitical risk. Even well-documented Russian-linked groups such as Qilin or Cl0p refrain from explicit self-identification, despite consistently avoiding domestic targets.

Notably, Sicarii’s operators referenced Qilin and Cl0p in private communications, explicitly describing them as Russian groups that do not attack within Russia and stating that Sicarii follows the “same logic.” This comparison was used by the operator to justify both excluding Israeli victims and the group’s broader targeting posture.

Despite invoking this model, Sicarii diverges sharply from established ransomware norms by:

• Advertising preferential rates for attacks against Arab or Muslim states.
• Embedding Israeli geo-exclusion logic directly into its ransomware.
• Publicly associating itself with extremist Jewish figures and symbols.

Whereas Eastern European ransomware groups rely on implicit understandings and silent geographic avoidance, Sicarii’s approach is unusually explicit and performative. Such behavior is not only unnecessary for a financially motivated RaaS but also invites avoidable exposure. All of this suggests either limited operational maturity or deliberate signaling beyond purely criminal objectives.

Historical Precedent for False-Flag Use of Jewish Identity

Previous campaigns attributed to Iranian-aligned or anti-Israeli actors, including Moses Staff and Abraham’s Ax, leveraged Jewish historical references and fabricated Israeli insider personas to conduct false-flag operations or influence campaigns.

While no direct technical linkage exists between Sicarii and these actors, the use of Jewish extremist symbolism, overt Israeli identity claims, and ideologically charged rhetoric mirrors known deception techniques employed in prior operations by anti-Israeli Middle Eastern actors.

Leak site

The Sicarii leak site is notably rudimentary, offering display options in both Hebrew and English. The Hebrew version is characterized by awkward phrasing and frequent misspellings, further indicating non-native authorship. In private communications, the operator stated that AI tools were used in the site’s development. Notably, the leak site was active for approximately one month before the first victim was published, a delay that is atypical for RaaS operations seeking rapid visibility and credibility.

Conclusion & Assessment

Sicarii is a newly observed ransomware operation that combines a functional extortion capability with unusually explicit Israeli and Jewish branding. While the malware itself demonstrates credible ransomware functionality, the group’s behavior and presentation deviate from established ransomware norms.

On Telegram communications, underground forum activity, and public-facing infrastructure, Sicarii repeatedly asserts national and ideological identity in ways that provide no clear operational benefit. Although the operators compare themselves to Russian ransomware groups such as Qilin and Cl0p (arguing that those groups also avoid domestic targets), Sicarii departs from this model by making its alignment explicit and performative, weakening plausible deniability.

Linguistic analysis further undermines the group’s claims. Hebrew usage across the leak site and private communications is inconsistent and indicative of non-native authorship, while English and Russian are used fluently. Operationally, the group appears centralized and informal, with early-stage tooling, inconsistent victim narratives, and limited compartmentalization, suggesting experimentation rather than a mature RaaS ecosystem.

Taken together, these indicators suggest that Sicarii’s claimed Israeli or Jewish identity doesn’t necessarily reflect genuine ideological motives. Instead, the operation appears to leverage performative identity signaling layered onto an immature ransomware capability. Attribution remains inconclusive, but Sicarii’s self-description should not necessarily be taken at face value.

IOCs:

4104542714022cb6ef34e9ee5affca07b9a38dbee49748f8630c5f50a26db8b2
cce3821939b7cb77b9da3d59bbcb5978818d4937dd330d820102b012ffcebe4d
a9cadb2c85a4d951f1c41d3dba6be6af876d364c5bba267a42f7839f40b45c0a
b9691587dff4b09987354d50c5d7f9f99f57183bdb6115d1ed410ea0a2e86973
0f0509d1751185fc3d0fce5a578d29aa9d1fe219f29dacef2cf4200851ed541c
59bb8cbd471bd6598c8bf830fa9f90574e8b1bae59d90d379dfd91b1390f7a33
203fd36eed61f7c0f9225cf5a824d39a3a891f63c908586801e350f785f0ddca
6d4cecda3cd5e031d2d23991fe4040568a221ee6ee7e99aaecda52431e67e18d
fbf4ba84c6bb558d6663e34ce7fb459c2cb4e7577241116abaa09ff1eb0d2108
8a4f1e01c78dbeb5258ef97420a948cc530ff3c4d6fa5153b5da5872c728bfe3
bacc9fe505d243ad5192bad081f2fb7cb5bf0d4d26b0b0e51f5a74f64a2db2a5
70ac2b0f9b40eb8682db4452bbda70363b3680eef8ee30cd311e0d2e4c125bcb
a7ec88cc08ffa80915f32ac7274218ded88e61c6cda95bedbb8fe9d729ba7495
debbc85b17c753c3428588cd865b9bcc4b60c18566724d6fc841133ddb3ba5d3
97c2cda26d8e53eb74489a066834e7afae1a89a71f57b91e64384f88358d0c4e
07ef103cbe476dbaee5fb3a8068a9246c0a18f7b89846ba11e90b3622fdfef91
b23176a06dc2e32978a13853ce7730007242a2f9d1e1d33e9601de6b4eaadc3e
5a2f8aea67e3f89029383b46dfe2f5671902d0b2815b9cf5ab6e74fe6d406fb0
befb0f49fc3bfad9166300600be6da73efb6c9b19e09f9515bce9d60cc9a0455
feda2efbc44d4ef1694d3d2a4c2794013d8a071194adf3c14e5376e1a369ee61
942b5945a927ad2c78c1ce1afc9e86b2f6f4134c6fb36ca1fafef5b21ba1d8a2
b0718c24b687e781f1a55d2e302baeb31bfd649308a8eb9f1361569c9af260d1
7a782c7fcfc2ef8231694216f998ba3078ce00bb06d2d27c734c6e65d9df9d86
eff3bd2522a8e6725cb58d45076a3fe705a206e5cd7fe7ec70b7726ad4a53286
64f6ebf9e3c285cc527b94080bccb7fc051137621870997220854907bb69bb69
e920bb59cd7d803615b08b957d4eb9ba8a9cc2d104924d856b54839fec868314
12a6dcefe12e8245bf4a6c9fc894ca431a02720f653841b5ccf6174a226c6a29
350ba9075a0011a100e11594e7d64461c1d5024c6f46b6a4d6398dc8bf8495b0
4b8eca4bf33e13a680ef30b9295cce5a7f5de3b7f5f8771ab206572488d3d9f4
d99ded48868d2961dcae6b4c63d1b74395aeb440232cf44828e3e2bf31c06418
362fe4f7ada71ee779b3bf2fa32c7f42704d051920166b26a68599c470dc5de1
20114fc02aa0296919f8072ee59195bed83cf79ec0f5c1f37e4fa7939710aa49
7388b87febbe9aa6633c0c1363b1feb9e82de84c83f1696649edeaeeaf3e21bd
c8ac7f6fb9a3435108019477e3a2b7fcd322a92d93015e19c7930673685c0e17
07448b617834e3f40137773ef3432b12efe72cd373217802e0266663a3253095
9a0f9efacfdd73037b8f4a656beef3382d7996fcc4331c896b9163c296ae1218
906c1fa52aa00001ce568ca5fcb673dbea4bee3772f1ba9435ee87e2c9216dc4
100940358086d978cd418b43aed88d26e86af096886bf7b2f3a0f58d729428b0
f4ae6a1ef1aa9e734a141b90c1333fc624512c453aa2f668cadd5e3408ca08a0
f4b05effc920457129f41827840d4d6063e0040fd612e7ca63a6c3e25736ea0c
7028436ae16f813b278f82b0b02d22fb0338a0becc1cdcd4b2f4c9de8bb23408