New Ransomware Group Sicarii Emerges with Ideological Motives
Sicarii, a recently identified Ransomware-as-a-Service (RaaS), has emerged as a unique player in the cybercrime landscape, focusing on a distinct ideological narrative. This group, discovered by Check Point Research, uniquely combines traditional ransomware tactics with explicit Jewish and Israeli branding, claiming an ideological basis for its operations.
Sicarii surfaced in late 2025 and has publicly disclosed only one victim to date. Its branding closely aligns itself with Israeli and Jewish narratives, using Hebrew language and historical symbols, which is atypical for ransomware groups that typically focus solely on financial gain. Interestingly, communication within Sicarii primarily occurs in Russian, raising questions about the authenticity of its claimed identity. Additionally, language analysis reveals potential non-native Hebrew usage, indicating that the group may be leveraging these symbols performatively rather than genuinely aligning with them.
The ransomware employs a sophisticated methodology, including geo-fencing to avoid execution on Israeli systems, which undermines its plausible deniability. Its technical functions involve extensive data exfiltration, credential collection, and exploitation attempts against specific vulnerabilities, such as CVE-2025-64446 related to Fortinet devices. The ransomware encrypts files using AES-GCM and appends the “.sicarii” extension while also implementing destructive scripts aimed at hindering system recovery.
Sicarii’s ideological framing is problematic for cybersecurity defenders, as it complicates attribution and constitutes a potential false-flag operation. This duality of purpose—profit-driven extortion intertwined with ideological motivations—may attract scrutiny and make organizations more vulnerable to targeted attacks.
Effective threat intelligence, along with robust SIEM strategies and proactive monitoring, can mitigate risks associated with this evolving threat landscape. Awareness and preparedness against emerging tactics, including ideologically motivated ransomware, will be crucial for organizations.
Indicators of Compromise (IOCs):
A list of notable IOCs associated with Sicarii includes various malware hashes such as 4104542714022cb6ef34e9ee5affca07b9a38dbee49748f8630c5f50a26db8b2 and cce3821939b7cb77b9da3d59bbcb5978818d4937dd330d820102b012ffcebe4d, among others.
