Sicarii Ransomware: The 2024 False-Flag Attack with Unbreakable Encryption
Executive Summary
In early 2024, a new ransomware variant dubbed 'Sicarii' surfaced, reportedly leveraging poorly designed, obfuscated code and incorporating Hebrew language elements that may serve as a false flag to mislead investigators about its origin. The ransomware, first detected in late 2023, compromises victim environments, encrypts files, and delivers notes demanding payment in cryptocurrency for data recovery. Although initial analysis indicates programming weaknesses, security researchers confirmed that its encryption implementation is resilient, making recovery without payment infeasible. The malware also exhibits unique lateral movement and persistence behaviors before exfiltrating data to attacker-controlled infrastructure.
This incident is reflective of a broader increase in ransomware operations deploying deceptive attribution techniques and leveraging unconventional languages or scripts. The emergence of ‘Sicarii’ underscores the persistent threat and ever-evolving tactics used by ransomware groups to evade detection and complicate response efforts for organizations worldwide.
Why This Matters Now
The Sicarii ransomware demonstrates increased sophistication in threat actor evasion tactics and signals a continuing trend of ransomware operators adopting new strategies to confuse attribution and hinder defensive efforts. With its robust encryption and false-flag obfuscation, organizations must prioritize robust detection, segmentation, and response measures to counter modern ransomware risks.
Attack Path Analysis
Attackers likely gained initial entry via exposed cloud services or compromised credentials. They escalated privileges by abusing weak policies or misconfigurations to gain broader access. With sufficient access, lateral movement occurred between cloud workloads or regions. Establishing command and control, attackers maintained persistence and issued malicious instructions. Exfiltration may have included encrypting or exfiltrating data, possibly via unmonitored egress. Ultimately, ransomware deployed, encrypting resources and causing business impact.
Kill Chain Progression
Initial Compromise
Description
The attackers gained an initial foothold in the victim's cloud environment, possibly via exposed management interfaces, leaked credentials, or unpatched vulnerabilities.
Related CVEs
CVE-2025-64446
CVSS 9.8A vulnerability in Fortinet devices allows remote attackers to execute arbitrary code via exposed RDP services.
Affected Products:
Fortinet FortiOS – < 7.0.5
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Mapping focuses on common ransomware TTPs identified for SEO and triage. Will further expand with STIX/TAXII data enrichment as available.
User Execution
Command and Scripting Interpreter
Data Encrypted for Impact
Phishing
Obfuscated Files or Information
Indicator Removal on Host
Inhibit System Recovery
Remote Access Software
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Incident Response Plan
Control ID: 12.10.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 8
CISA Zero Trust Maturity Model 2.0 – Detection and Response of Compromised Assets
Control ID: Asset Management–Detection & Response
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Sicarii ransomware threatens patient data encryption with undecryptable payloads, compromising HIPAA compliance and critical healthcare operations requiring robust egress security controls.
Financial Services
Banking systems face severe ransomware encryption risks affecting transaction processing, with PCI compliance violations and potential data exfiltration through compromised east-west traffic.
Government Administration
Government networks vulnerable to undecryptable ransomware attacks requiring zero trust segmentation and enhanced threat detection capabilities to prevent lateral movement and data loss.
Information Technology/IT
IT infrastructure providers must implement multicloud visibility controls and Kubernetes security measures to protect against Sicarii ransomware targeting cloud-native environments and hybrid connectivity.
Sources
- Vibe-Coded 'Sicarii' Ransomware Can't Be Decryptedhttps://www.darkreading.com/endpoint-security/vibe-coded-sicarii-ransomware-decryptedVerified
- Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconographyhttps://www.technadu.com/sicarii-ransomware-a-deceptive-new-ransomware-as-a-service-threat-using-hebrew-iconography/618284/Verified
- New Sicarii RaaS Operation Attacks Exposed RDP Services and Attempts to Exploit Fortinet Deviceshttps://www.cryptika.com/new-sicarii-raas-operation-attacks-exposed-rdp-services-and-attempts-to-exploit-fortinet-devices/Verified
- Sicarii Ransomware Locks Your Data and Throws Away the Keyshttps://www.csoonline.com/article/4123492/sicarii-ransomware-locks-your-data-and-throws-away-the-keys.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
This incident is highly relevant to Zero Trust and CNSF controls, as attackers exploited weak perimeter, identity, and segmentation practices to escalate privileges, move laterally, and exfiltrate data before deploying ransomware. Effective segmentation, robust identity governance, workload isolation, and egress policy enforcement could have constrained each attack stage and aided earlier detection.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Visibility and enforcement controls would have detected or blocked unauthorized access attempts to management planes and external services.
Control: Zero Trust Segmentation
Mitigation: Segmentation policies would have limited privilege inheritance and lateral escalation by restricting access between roles and workload zones.
Control: East-West Traffic Security
Mitigation: East-West policy enforcement would have detected or blocked unauthorized movement between workloads and regions.
Control: Multicloud Visibility & Control
Mitigation: Enhanced visibility and orchestration would have detected anomalous command and control behaviors across cloud boundaries.
Control: Egress Security & Policy Enforcement
Mitigation: Egress controls would automatically detect, restrict, or alert on unauthorized data transfers to unapproved destinations.
While CNSF controls may reduce the attacker’s impact surface or delay ransomware execution, complete prevention is not guaranteed once control is lost.
Impact at a Glance
Affected Business Functions
- n/a
Estimated downtime: N/A
Estimated loss: N/A
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and least privilege for all cloud workloads to contain blast radius.
- • Apply east-west traffic controls to detect and block unauthorized workload-to-workload communication.
- • Implement strict egress policy enforcement and DNS/FQDN filtering to prevent data exfiltration and C2 callbacks.
- • Deploy real-time anomaly detection and centralized visibility to alert on unusual access patterns and automation.
- • Integrate inline IPS and encryption visibility where possible to block exploit payloads and malicious external connections.
