Summary:
Sicarii ransomware operations have been observed using an encryption process that can render post-payment data recovery impossible, even if a decryptor is provided. Halcyon malware analysts were the first to observe that the Sicarii binary includes a functional RSA implementation, but it is used in a way that undermines recoverability. During execution, the malware regenerates a new RSA key pair locally, uses the newly generated key material for encryption, and then discards the private key. This per-execution key generation means encryption is not tied to a recoverable master key, leaving victims without a viable decryption path and making attacker-provided decryptors ineffective for affected systems. Halcyon assesses with moderate confidence that the developers may have used AI-assisted tooling, which could have contributed to this implementation error. Organizations impacted by Sicarii ransomware should assume that ransom payment will not result in successful data restoration unless there is independent confirmation that this defect has been corrected.
Background:
Sicarii emerged in public reporting in December 2025 as a newly observed RaaS operation advertising on underground forums. Technical analysis has identified a critical flaw in Sicarii’s encryption key handling in which the malware generates and then discards new cryptographic key material during the encryption process, rather than using recoverable key material tied to a master key. This error permanently breaks the ability to recover encrypted data, leaving both victims and the Sicarii operators unable to decrypt impacted systems. There is currently no reliable evidence that this defect can be corrected for systems already encrypted by the affected variant.
Details:
- Faulty Encryption Key Handling: The Sicarii encryptor generates new cryptographic key material during execution and discards it, preventing reliable decryption.
- Permanent Data Loss Risk: The newly generated key is discarded, leaving neither the victim nor the attackers able to reconstruct the required key material to recover encrypted data.
- Ransom Payment Ineffectiveness: Because the encryption process is not tied to recoverable key material, paying a ransom may not materially improve recovery outcomes and may result in prolonged outages and irreversible data loss.
Mitigations:
- Payment Risk Guidance: Because Sicarii’s encryption key handling has been observed producing unrecoverable key material, victims should consider the risk that a ransom payment could result in receiving a decryptor that may not work.
- Post-Encryption Response: If systems are encrypted and recovery via an attacker-provided decryptor is not possible, immediately shift from negotiation to restoring operations through alternate recovery pathways. Isolate affected systems to contain impact [M1030], preserve forensic evidence, and determine the scope of compromise using available logs and telemetry [M1047]. Engage experienced ransomware incident response specialists to support investigation, containment, recovery planning, and decision-making.
- Pre-Encryption Proactive Defenses: Deploy a dedicated anti-ransomware solution that blocks execution of malicious binaries [M1038], detects and prevents ransomware runtime behavior and data exfiltration attempts [M1040], and prevents tampering and network intrusion that enable propagation and encryption [M1031].
References:
Source Summary:
This Alert is based on Halcyon observations, open-source information, and ongoing research. Findings reflect our current understanding of threat actor activity and may be updated as new evidence emerges. Assessments may be revised as additional evidence becomes available.
The Halcyon Ransomware Research Center unites experts, drives smart policies, and delivers actionable intelligence to detect, disrupt, and defeat ransomware. Explore the Center’s latest reports, analysis, and resources here.