Sicarii Ransomware: Truth vs Myth

Jan. 15, 2026, 12:31 p.m.

Description

A new RaaS operation called Sicarii emerged in late 2025, claiming Israeli/Jewish affiliation. The group uses Hebrew language, historical symbols, and right-wing ideological references in its branding. However, underground activity is primarily conducted in Russian, and the Hebrew content appears non-native. The ransomware's technical capabilities include data exfiltration, credential collection, and file encryption. It performs geo-fencing to avoid Israeli systems. The group's behavior and messaging diverge from typical ransomware practices, raising questions about its true identity and motives. Linguistic analysis and operational patterns suggest the claimed Israeli identity may be performative rather than genuine.

External References

https://otx.alienvault.com/pulse/6968d3729715b1994ae12885
https://research.checkpoint.com/2026/sicarii-ransomware-truth-vs-myth/
Tags
ransomware
encryption
data exfiltration
raas
CVE-2025-64446
2026-01-15
false-flag
geo-fencing
sicarii ransomware

Date

  • Created: Jan. 15, 2026, 11:45 a.m.
  • Published: Jan. 15, 2026, 11:45 a.m.
  • Modified: Jan. 15, 2026, 12:31 p.m.

Indicators

  • d99ded48868d2961dcae6b4c63d1b74395aeb440232cf44828e3e2bf31c06418
  • 07448b617834e3f40137773ef3432b12efe72cd373217802e0266663a3253095
  • f4ae6a1ef1aa9e734a141b90c1333fc624512c453aa2f668cadd5e3408ca08a0
  • b9691587dff4b09987354d50c5d7f9f99f57183bdb6115d1ed410ea0a2e86973
  • 4b8eca4bf33e13a680ef30b9295cce5a7f5de3b7f5f8771ab206572488d3d9f4
  • 350ba9075a0011a100e11594e7d64461c1d5024c6f46b6a4d6398dc8bf8495b0
  • 7388b87febbe9aa6633c0c1363b1feb9e82de84c83f1696649edeaeeaf3e21bd
  • f4b05effc920457129f41827840d4d6063e0040fd612e7ca63a6c3e25736ea0c
  • 59bb8cbd471bd6598c8bf830fa9f90574e8b1bae59d90d379dfd91b1390f7a33
  • 12a6dcefe12e8245bf4a6c9fc894ca431a02720f653841b5ccf6174a226c6a29
  • 942b5945a927ad2c78c1ce1afc9e86b2f6f4134c6fb36ca1fafef5b21ba1d8a2
  • cce3821939b7cb77b9da3d59bbcb5978818d4937dd330d820102b012ffcebe4d
  • 20114fc02aa0296919f8072ee59195bed83cf79ec0f5c1f37e4fa7939710aa49
  • 362fe4f7ada71ee779b3bf2fa32c7f42704d051920166b26a68599c470dc5de1
  • 70ac2b0f9b40eb8682db4452bbda70363b3680eef8ee30cd311e0d2e4c125bcb
  • 0f0509d1751185fc3d0fce5a578d29aa9d1fe219f29dacef2cf4200851ed541c
  • b23176a06dc2e32978a13853ce7730007242a2f9d1e1d33e9601de6b4eaadc3e
  • 8a4f1e01c78dbeb5258ef97420a948cc530ff3c4d6fa5153b5da5872c728bfe3
  • fbf4ba84c6bb558d6663e34ce7fb459c2cb4e7577241116abaa09ff1eb0d2108
  • c8ac7f6fb9a3435108019477e3a2b7fcd322a92d93015e19c7930673685c0e17
  • 203fd36eed61f7c0f9225cf5a824d39a3a891f63c908586801e350f785f0ddca
  • debbc85b17c753c3428588cd865b9bcc4b60c18566724d6fc841133ddb3ba5d3
  • 07ef103cbe476dbaee5fb3a8068a9246c0a18f7b89846ba11e90b3622fdfef91
  • 6d4cecda3cd5e031d2d23991fe4040568a221ee6ee7e99aaecda52431e67e18d
  • e920bb59cd7d803615b08b957d4eb9ba8a9cc2d104924d856b54839fec868314
  • b0718c24b687e781f1a55d2e302baeb31bfd649308a8eb9f1361569c9af260d1
  • befb0f49fc3bfad9166300600be6da73efb6c9b19e09f9515bce9d60cc9a0455
  • a7ec88cc08ffa80915f32ac7274218ded88e61c6cda95bedbb8fe9d729ba7495
  • 7028436ae16f813b278f82b0b02d22fb0338a0becc1cdcd4b2f4c9de8bb23408
  • 7a782c7fcfc2ef8231694216f998ba3078ce00bb06d2d27c734c6e65d9df9d86
  • 9a0f9efacfdd73037b8f4a656beef3382d7996fcc4331c896b9163c296ae1218
  • eff3bd2522a8e6725cb58d45076a3fe705a206e5cd7fe7ec70b7726ad4a53286
  • bacc9fe505d243ad5192bad081f2fb7cb5bf0d4d26b0b0e51f5a74f64a2db2a5
  • 906c1fa52aa00001ce568ca5fcb673dbea4bee3772f1ba9435ee87e2c9216dc4
  • 64f6ebf9e3c285cc527b94080bccb7fc051137621870997220854907bb69bb69
  • 97c2cda26d8e53eb74489a066834e7afae1a89a71f57b91e64384f88358d0c4e
  • 4104542714022cb6ef34e9ee5affca07b9a38dbee49748f8630c5f50a26db8b2
  • 5a2f8aea67e3f89029383b46dfe2f5671902d0b2815b9cf5ab6e74fe6d406fb0
  • feda2efbc44d4ef1694d3d2a4c2794013d8a071194adf3c14e5376e1a369ee61
  • 100940358086d978cd418b43aed88d26e86af096886bf7b2f3a0f58d729428b0
  • a9cadb2c85a4d951f1c41d3dba6be6af876d364c5bba267a42f7839f40b45c0a
Download all indicators here!

Attack Patterns

  • Sicarii Ransomware
  • Sicarii

Additional Informations

  • Manufacturing

Linked vulnerabilities

CVE-2025-64446

9.8
    Fortinet
  • Fortiweb
Published: November 14, 2025