{"id":6735,"date":"2026-01-28T11:22:07","date_gmt":"2026-01-28T11:22:07","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6735"},"modified":"2026-01-28T11:22:07","modified_gmt":"2026-01-28T11:22:07","slug":"sicarii-ransomware-locks-your-data-and-throws-away-the-keys","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6735","title":{"rendered":"Sicarii ransomware locks your data and throws away the keys"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A newly observed Sicarii ransomware strain contains a critical encryption key handling defect that can leave encrypted data unrecoverable, even if a victim pays the ransom or uses a provided decryptor.<\/p>\n

Analysts at the Halcyon Ransomware Research Center found that Sicarii generates fresh RSA key<\/a> pairs for each execution and then discards the private key, leaving no recoverable key material for the encrypted systems.<\/p>\n

Organizations affected by this variant cannot rely on ransom negotiation or third-party decryptors to restore files unless there is evidence that the underlying flaw has been fixed in the specific sample that infected them. \u201cThe issue appears to stem from poor encryption key management rather than deliberate design,\u201d said Sakshi Grover, senior research manager, cybersecurity at IDC. \u201cThis reflects a broader trend in the ransomware ecosystem, where low barriers to entry and rapid monetization take precedence over technical robustness.\u201d<\/p>\n

Sicarii was first disclosed in December 2025, and has only a small track record of claimed victims, but its unusual technical attributes have forced researchers to claim it could have been vibe coded<\/a>.<\/p>\n

<\/a>Encryption defect breaks standard RaaS model<\/h2>\n

Ransomware typically encrypts files using a public-key scheme<\/a> where the attacker retains the private key or can regenerate it later, enabling a decryptor to work if the ransom is paid. Sicarii deviates from this model. In Halcyon observed samples, it generates a new RSA key pair entirely on the victim system during each execution and immediately discards the private key once encryption completes.<\/p>\n

The victims end up with no viable path to recover encrypted data, even if they cooperate with attackers or use a published decryptor tool. According to a Halcyon alert<\/a>, enterprises should assume failed recovery through ransom-related decryptors unless there is independent verification that the defect was eliminated in that strain.<\/p>\n

\u201cA Sicarii ransomware represents a nightmare scenario where traditional ransomware response strategies fail entirely,\u201d said Agnidipta Sarkar, chief evangelist at ColorTokens. \u201cAs no decryptor can reconstruct the discarded private keys, enterprises will stare at \u2018assume total data destruction,\u2019 amplifying financial, operational, and reputational damage.\u201d<\/p>\n

Absence of a decryptor-based recovery forces organizations to plan for complete recovery through backups and alternate operational restoration methods, changing the cost-benefit analysis for them. This also heightens the importance of pre-existing, secure backup infrastructure and rapid isolation. Halcyon urged organizations to focus on immediate containment and restoration rather than ransom-based recovery. Affected systems should be isolated, the scope of infection identified, and operations restored only from known-good, offline, or immutable backups.<\/p>\n

\u201cEnterprises must invest in proactive zero trust micro-segmentation that is designed to be adopted in hours, leveraging existing EDR, agents, agentless mechanisms to contain threats at the initial access point, preventing encryption from spreading,\u201d Sarkar added.<\/p>\n

<\/a>Unusual technical profile hints at vibe-coding<\/h2>\n

One possible explanation for Sicarii\u2019s broken encryption flow is immature or poorly implemented development practices. The ransomware\u2019s failure to retain usable keys is inconsistent with established ransomware design and suggests it may have been assembled without rigorous testing or a clear understanding of operational consequences, or even vibe-coded.<\/p>\n

\u201cHalcyon assesses with moderate confidence that the developers may have used AI-assisted tooling, which could have contributed to this implementation error,\u201d the researchers said in the alert.<\/p>\n

A Check Point Research\u2019s analysis<\/a> earlier this month had also highlighted a set of unusual and internally inconsistent characteristics. According to the analysis, Sicarri incorporates Israeli and Jewish activity symbolism in its branding and messaging, yet much of its underground activity appears in Russian. Also, the Hebrew language used in the malware and communications contains errors indicative of non-native or automated translation.<\/p>\n

Beyond encryption, Check Point observed Sicarii performing credential harvesting, network reconnaissance, vulnerability scanning, and data exfiltration, indicating the operation includes tooling atypical to financially motivated ransomware. \u201cSicarii significantly raises the risk profile of ransomware incidents, shifting the impact from financial extortion to potential permanent data loss and prolonged business disruption,\u201d Grover added. \u201cIn regulated industries, this can further escalate compliance, legal, and operational consequences.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A newly observed Sicarii ransomware strain contains a critical encryption key handling defect that can leave encrypted data unrecoverable, even if a victim pays the ransom or uses a provided decryptor. Analysts at the Halcyon Ransomware Research Center found that Sicarii generates fresh RSA key pairs for each execution and then discards the private key, […]<\/p>\n","protected":false},"author":0,"featured_media":6736,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6735","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6735"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6735"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6735\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6736"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}