Sicarii ransomware per-execution RSA key generation breaks decryption
Malware Activity
Summary
Hide ▲
Show ▼
The Sicarii ransomware now stands out for a broken decryption process that generates a new RSA key pair on each execution and discards the private key, leaving victims unable to recover encrypted data with attacker-provided decryptors. The flaw matters because paying the ransom still does not restore files on affected systems. Researchers also said Sicarii surfaced last month as a ransomware-as-a-service offering and may reflect AI-assisted tooling.
Related Happenings
Grafana Labs Says GitHub hit by cyberattack
Incident
First: 17.05.2026 10:13
Last: 17.05.2026 10:13
Sources 1
About this happening:
A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
Grafana Labs Says GitHub hit by cyberattack
IncidentAbout this happening: A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
Instructure hit by cyberattack
Incident
First: 04.05.2026 01:16
Last: 04.05.2026 01:16
Sources 1
About this happening:
**Instructure** disclosed a **cybersecurity incident** that exposed user information and prompted an investigation with outside experts and law enforcement. The event matters beca...
Instructure hit by cyberattack
IncidentAbout this happening: **Instructure** disclosed a **cybersecurity incident** that exposed user information and prompted an investigation with outside experts and law enforcement. The event matters beca...
Latest development: 14.05.2026 23:19
The House Committee on Homeland Security and the US Senate Committee on Health, Education, Labor, and Pensions sought briefings from Instructure over the Canvas compromise, pressing the edtech vendor on whether it paid a ransom, what data was affected, how it handled the recent attacks, and whether the incident was linked to a prior Salesforce compromise.
Vect 2.0 ransomware wiper-flaw activity
Malware Activity
First: 29.04.2026 18:23
Last: 29.04.2026 18:23
Sources 1
About this happening:
The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect 2.0 ransomware wiper-flaw activity
Malware ActivityAbout this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical Analysis
First: 29.04.2026 13:45
Last: 29.04.2026 13:45
Sources 1
About this happening:
**Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical AnalysisAbout this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
Timeline
-
28.01.2026 00:15 1 articles · 3mo ago
Sicarii operator claims three to six victims and small-business targeting
Campaign Scope UpdateAn operator posing as Sicarii's communications lead claimed the ransomware group had compromised between three and six victims, said all of them had paid the ransom, and said the group primarily targets small businesses.
Show sources
- Vibe-Coded 'Sicarii' Ransomware Can't Be Decrypted — www.darkreading.com — 28.01.2026 00:15
-
28.01.2026 00:15 2 articles · 3mo ago
Halcyon identifies broken Sicarii decryption on Jan. 23
Technical Analysis UpdateHalcyon's Ransomware Research Center reported that Sicarii regenerates a new RSA key pair locally during execution, encrypts with the newly generated key material, and discards the private key, which leaves attacker-provided decryptors ineffective and victims without a viable decryption path. Halcyon also assessed with moderate confidence that AI-assisted tooling may have contributed to the implementation error.
Show sources
- Vibe-Coded 'Sicarii' Ransomware Can't Be Decrypted — www.darkreading.com — 28.01.2026 00:15
- Vibe-Coded 'Sicarii' Ransomware Can't Be Decrypted — www.darkreading.com — 28.01.2026 00:15
-
28.01.2026 00:15 1 articles · 3mo ago
Halcyon advises Sicarii victims not to rely on ransom payment
Mitigation Patch UpdateHalcyon advises organizations impacted by Sicarii to assume ransom payment will not restore encrypted data unless the defect is independently confirmed fixed, and to shift to alternate recovery pathways such as backups, isolation of affected systems, preservation of forensic evidence, and scope determination.
Show sources
- Vibe-Coded 'Sicarii' Ransomware Can't Be Decrypted — www.darkreading.com — 28.01.2026 00:15