Sicarii Ransomware Decryption Fails Due to Key Generation Flaw

First reported

28.01.2026 00:15

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

The Sicarii ransomware, a new ransomware-as-a-service (RaaS) offering, has a critical flaw in its decryption process. The malware regenerates a new RSA key pair during execution, discards the private key, and leaves victims without a viable decryption path. This means that even if victims pay the ransom, their data remains encrypted. Researchers suggest that the flaw may be due to the use of AI-assisted tooling by inexperienced developers. The ransomware also exhibits unusual behavior, including the use of Hebrew language and symbols that appear to be machine-translated, raising questions about the authenticity of the group's claimed identity.

Timeline

28.01.2026 00:15 1 articles · 23h ago

Sicarii Ransomware Decryption Fails Due to Key Generation Flaw
On January 23, 2026, researchers at Halcyon's Ransomware Research Center observed a technical flaw in the Sicarii ransomware where the decryption process fails due to the regeneration and discarding of RSA key pairs during execution. This flaw makes decryption impossible, even if victims pay the ransom. The ransomware also exhibits unusual behavior, including the use of Hebrew language and symbols that appear to be machine-translated, raising questions about the authenticity of the group's claimed identity.
Show sources

Vibe-Coded 'Sicarii' Ransomware Can't Be Decrypted — www.darkreading.com — 28.01.2026 00:15
Open in new tab

Information Snippets

Sicarii ransomware regenerates a new RSA key pair during execution and discards the private key, making decryption impossible.
First reported: 28.01.2026 00:15

1 source, 1 article
Show sources
- Vibe-Coded 'Sicarii' Ransomware Can't Be Decrypted — www.darkreading.com — 28.01.2026 00:15
The ransomware's decryption process is flawed, and paying the ransom does not guarantee data recovery.
First reported: 28.01.2026 00:15

1 source, 1 article
Show sources
- Vibe-Coded 'Sicarii' Ransomware Can't Be Decrypted — www.darkreading.com — 28.01.2026 00:15
Sicarii operators advertise the ransomware on underground cybercrime forums and claim to have compromised between three and six victims, all of whom have paid the ransom.
First reported: 28.01.2026 00:15

1 source, 1 article
Show sources
- Vibe-Coded 'Sicarii' Ransomware Can't Be Decrypted — www.darkreading.com — 28.01.2026 00:15
The ransomware's code is poorly written, suggesting the use of AI-assisted tooling by inexperienced developers.
First reported: 28.01.2026 00:15

1 source, 1 article
Show sources
- Vibe-Coded 'Sicarii' Ransomware Can't Be Decrypted — www.darkreading.com — 28.01.2026 00:15
Sicarii exhibits unusual behavior, including the use of Hebrew language and symbols that appear to be machine-translated, raising questions about the authenticity of the group's claimed identity.
First reported: 28.01.2026 00:15

1 source, 1 article
Show sources
- Vibe-Coded 'Sicarii' Ransomware Can't Be Decrypted — www.darkreading.com — 28.01.2026 00:15