A coding error, possibly introduced thanks to over-reliance on artificial intelligence (AI) vibe coding tools, has rendered an emergent strain of ransomware an acutely dangerous threat, according to researchers at Halcyon’s Ransomware Research Center (RRC).
The Sicarii ransomware-as-a-service (RaaS) operation emerged from the cyber criminal underground in December 2025, when it started advertising for affiliates on the dark web.
But now, technical analysis by Halcyon’s team has identified a critical coding flaw in Sicarii’s encryption key handling that renders it impossible for either victim or cyber criminal to decrypt impacted systems.
Best practice for ransomware victims holds that it’s inadvisable to pay a ransom partly on the basis that it is no guarantee the cyber criminals will decrypt your data. This apparent flaw fundamentally undermines recoverability, rendering Sicarii an even more dangerous threat.
“Don’t pay a Sicarii ransom,” said RRC senior vice-president Cynthia Kaiser. “You won’t get anything useful back.”
RSA key mishandling
The problem arises through how the Sicarii binary handles its RSA implementation. When the ransomware locker first executes, it regenerates a new RSA key pair locally, uses this key for encryption, but then discards the private key for some reason.
The end result is that this “per-execution” key generation means encryption is not tied to any recoverable master key, so victims have no viable decryption path and attacker-provided decryptors are ineffective. In essence, making a ransom payment cannot materially improve recovery outcomes.
“Halcyon assesses with moderate confidence that the developers may have used AI-assisted tooling, which could have contributed to this implementation error,” said the team.
“Organisations impacted by Sicarii ransomware should assume that ransom payment will not result in successful data restoration unless there is independent confirmation that this defect has been corrected.”
The best defence against any ransomware attack remains to deploy effective defences beforehand, ensuring protected backups are in place to restore from and including dedicated anti-ransomware solutions if feasible.
But Halcyon’s team advises that should your organisation fall victim to a Sicarii attack and recovery via a decryptor is not possible, victims should not waste their time on pointless negotiations but rather shift to alternate recovery pathways – isolating affected systems, preserving forensic evidence, using available logs and telemetry to determine the compromise’s scope, and seeking support from third-party incident responders.
Who are Sicarii?
In history, the Sicarii were a band of Jewish rebels active during the Roman occupation of Judaea. Named for their large curved daggers, or sica, the group’s members are said to have committed mass suicide around 72–73 CE during the Siege of Masada, a hilltop fortress overlooking the Dead Sea in present-day Israel.
This history is reflected in the modern-day Sicarii gang, which distinguishes itself from the majority Russian-speaking ransomware ecosystem by leaning heavily on Israeli and Jewish symbolism. The gang’s branding incorporates Hebrew text and references Haganah, a paramilitary organisation that fought British rule in Palestine prior to Israeli independence in 1948.
According to Check Point, the Sicarii gang offers financial incentives for attacks conducted against Arab or Muslim states and geofences its locker so that it does not execute on any systems located in Israel.
However, Check Point says there are several anomalies and inconsistencies that make it hard to determine whether Sicarii really is an Israeli ransomware gang.
Among other things, its members appear to be rather more proficient in English and Russian than Hebrew – they have been observed directly translating English idioms into Hebrew that do not exist in that language, and the researchers believe the gang’s ideological posturing – likely to put off many affiliates – represents performative or false-flag behaviour rather than genuine alignment to Israel. Its operatives appear somewhat undisciplined, the researchers added.
Check Point’s deep dive on Sicarii, which can be read in full here, notes that previous cyber campaigns attributed to Iranian-aligned actors exploited references from Jewish history and myth, and fabricated Israeli personas to conduct false-flag ops.
