Sicarii Ransomware: Truth vs Myth

Sicarii is a newly observed RaaS operation that combines functional ransomware capabilities (data exfiltration, credential harvesting, LSASS dumping, network reconnaissance, Fortinet exploitation, and AES-GCM encryption adding a .sicarii extension) with unusually explicit Israeli/Jewish branding and geo-fencing that prevents execution on Israeli systems. The group’s public behavior, linguistic inconsistencies, performative identity signaling, and early-stage testing artifacts (VirusTotal uploads, Project3.exe, ransomawre.cs) suggest an immature or possibly false-flag operation rather than a mature ideologically driven actor. #Sicarii #CVE-2025-64446

Keypoints

Sicarii surfaced in late 2025 as a RaaS operation that publicly brands itself with Israeli/Jewish symbolism and explicitly avoids executing on Israeli systems via geo-fencing checks.
The ransomware implements anti-VM checks, single-instance mutex enforcement, copies itself to Temp as svchost_{random}.exe, and tests internet connectivity via google.com/generate_204.
Technical capabilities include broad data collection (registry hives, browser and app data, LSASS dumping), packaging to collected_data.zip, exfiltration to file.io, network reconnaissance (ARP, RDP scanning), and attempted exploitation of Fortinet devices via CVE-2025-64446.
For persistence the malware uses Registry Run keys, creates a Windows service named WinDefender, creates a local user (SysAdmin / Password123!), and even creates an AWS user account; it also terminates AV/VPN processes to impair defenses.
Files are encrypted in place using AES-GCM with per-file keys and an XOR-0xAA-encoded header, producing files with the .sicarii extension; a destruct.bat script is installed to corrupt bootloader files and perform disk-wiping to prolong downtime.
Operator activity centers on a Telegram account (@Skibcum / “Threat”) and Russian-language underground forums; Hebrew content appears machine-translated or non-native, while English and Russian are used fluently.
VirusTotal activity and other artifacts (Project3.exe, ransomawre.cs, uploads of ideological imagery) point to centralized testing and limited operational maturity, raising the possibility of performative or false-flag behavior rather than genuine ideological alignment.

MITRE Techniques

[T1497.001 ] Virtual Machine Detection – Anti-VM phase performs virtualization detection and exits with a decoy error when in a VM (‘DirectX failed to initialize memory during runtime, exiting’).
[T1016 ] System Network Configuration Discovery – Checks execution context to determine if victim is Israeli by evaluating time zone, keyboard layout, and adapter IPs (‘Is the time zone set to Israel’).
[T1046 ] Network Service Scanning – Enumerates local network, maps hosts via ARP, and actively probes discovered systems including scanning for exposed RDP services (‘maps nearby hosts via ARP requests, and actively probes discovered systems’).
[T1190 ] Exploit Public-Facing Application – Attempts to exploit Fortinet devices using CVE-2025-64446 to gain further access (‘scans for exposed RDP services and attempts to exploit Fortinet devices using CVE-2025-64446’).
[T1003.001 ] OS Credential Dumping: LSASS Memory – Attempts to dump LSASS to obtain additional credentials (‘attempts to dump LSASS to obtain further credentials’).
[T1555 ] Credentials from Password Stores – Collects browser data and application-specific data from platforms such as Discord, Slack, Telegram, Office, WhatsApp, and Atomic Wallet (‘collects registry hives, system credentials, browser data, and some application data from platforms including Discord, Slack, Roblox, Telegram, Office, WhatsApp, Atomic Wallet and more’).
[T1083 ] File and Directory Discovery – Iterates through common user directories to enumerate and collect high-value files (Documents, Downloads, Desktop, Videos, Pictures, Music) for exfiltration and encryption (‘iterates through common user directories such as Documents, Desktop, Music, Downloads, Pictures and Videos’).
[T1567.002 ] Exfiltration to Public Cloud Storage – Packages collected data into collected_data.zip and exfiltrates it to an external file-sharing service via file.io (‘packaged into a ZIP archive named collected_data.zip and exfiltrated to an external service via file.io’).
[T1486 ] Data Encrypted for Impact – Encrypts files in place using AES-GCM (256-bit) via BCrypt APIs, appending the .sicarii extension to encrypted files (‘encrypt files using AES-GCM and the .sicarii extension’).
[T1547.001 ] Registry Run Keys/Startup Folder – Achieves persistence via Registry Run key entries (‘Registry Run key’).
[T1543.003 ] Create or Modify System Process: Windows Service – Creates a service named WinDefender to maintain persistence (‘Creating a service named WinDefender’).
[T1136 ] Create Account – Creates a new local user account (SysAdmin with a hardcoded password) to maintain access (‘Creating a new user SysAdmin with password Password123!’).
[T1562.001 ] Impair Defenses: Disable or Modify Security Tools – Checks for AV and VPN products and terminates their processes to reduce detection (‘checks if AV and VPN products are running. If so, it terminates their processes’).
[T1485 ] Data Destruction – Drops destruct.bat which corrupts bootloader files and uses built-in Windows utilities (cipher, diskpart) to perform disk-wiping operations and force shutdown (‘corrupts critical bootloader files, leverages built-in Windows utilities such as cipher and diskpart to perform disk-wiping operations’).
[T1090 ] Proxy (Tor) – Early-stage source code and infrastructure references indicate use of Tor for C2 or infrastructure routing (‘referenced the same Tor infrastructure later used by the Sicarii ransomware’).

Indicators of Compromise

[File Hash ] Sicarii-related binaries and samples – 4104542714022cb6ef34e9ee5affca07b9a38dbee49748f8630c5f50a26db8b2, cce3821939b7cb77b9da3d59bbcb5978818d4937dd330d820102b012ffcebe4d, and 150 more hashes.
[File Name ] development/test artifacts and payload names – Project3.exe, ransomawre.cs (source code upload), svchost_{random}.exe, and collected_data.zip.
[Telegram Account ] operator and communications lead – @Skibcum (display name “Threat”, registered November 2025), used for public forum engagement and private negotiation messaging.
[File Extension ] encrypted output – .sicarii appended to encrypted files indicating Sicarii impact (e.g., .sicarii).
[Service/Domain ] connectivity and exfiltration endpoints – google.com/generate_204 (connectivity test) and file.io (exfiltration hosting/service used for stolen archives).
[Script/Artifact ] destructive and staging artifacts – destruct.bat (registered to execute at startup to corrupt bootloader and wipe disks) and collected_data.zip (staging archive of exfiltrated data).
[Vulnerability ] exploited target vector – CVE-2025-64446 used to attempt exploitation of Fortinet devices (evidence of active exploitation attempts).