A newly observed Sicarii ransomware strain contains a critical encryption key handling defect that can leave encrypted data unrecoverable, even if a victim pays the ransom or uses a provided decryptor.
Analysts at the Halcyon Ransomware Research Center found that Sicarii generates fresh RSA key pairs for each execution and then discards the private key, leaving no recoverable key material for the encrypted systems.
Organizations affected by this variant cannot rely on ransom negotiation or third-party decryptors to restore files unless there is evidence that the underlying flaw has been fixed in the specific sample that infected them. “The issue appears to stem from poor encryption key management rather than deliberate design,” said Sakshi Grover, senior research manager, cybersecurity at IDC. “This reflects a broader trend in the ransomware ecosystem, where low barriers to entry and rapid monetization take precedence over technical robustness.”
Sicarii was first disclosed in December 2025, and has only a small track record of claimed victims, but its unusual technical attributes have forced researchers to claim it could have been vibe coded.
Encryption defect breaks standard RaaS model
Ransomware typically encrypts files using a public-key scheme where the attacker retains the private key or can regenerate it later, enabling a decryptor to work if the ransom is paid. Sicarii deviates from this model. In Halcyon observed samples, it generates a new RSA key pair entirely on the victim system during each execution and immediately discards the private key once encryption completes.
The victims end up with no viable path to recover encrypted data, even if they cooperate with attackers or use a published decryptor tool. According to a Halcyon alert, enterprises should assume failed recovery through ransom-related decryptors unless there is independent verification that the defect was eliminated in that strain.
“A Sicarii ransomware represents a nightmare scenario where traditional ransomware response strategies fail entirely,” said Agnidipta Sarkar, chief evangelist at ColorTokens. “As no decryptor can reconstruct the discarded private keys, enterprises will stare at ‘assume total data destruction,’ amplifying financial, operational, and reputational damage.”
Absence of a decryptor-based recovery forces organizations to plan for complete recovery through backups and alternate operational restoration methods, changing the cost-benefit analysis for them. This also heightens the importance of pre-existing, secure backup infrastructure and rapid isolation. Halcyon urged organizations to focus on immediate containment and restoration rather than ransom-based recovery. Affected systems should be isolated, the scope of infection identified, and operations restored only from known-good, offline, or immutable backups.
“Enterprises must invest in proactive zero trust micro-segmentation that is designed to be adopted in hours, leveraging existing EDR, agents, agentless mechanisms to contain threats at the initial access point, preventing encryption from spreading,” Sarkar added.
Unusual technical profile hints at vibe-coding
One possible explanation for Sicarii’s broken encryption flow is immature or poorly implemented development practices. The ransomware’s failure to retain usable keys is inconsistent with established ransomware design and suggests it may have been assembled without rigorous testing or a clear understanding of operational consequences, or even vibe-coded.
“Halcyon assesses with moderate confidence that the developers may have used AI-assisted tooling, which could have contributed to this implementation error,” the researchers said in the alert.
A Check Point Research’s analysis earlier this month had also highlighted a set of unusual and internally inconsistent characteristics. According to the analysis, Sicarri incorporates Israeli and Jewish activity symbolism in its branding and messaging, yet much of its underground activity appears in Russian. Also, the Hebrew language used in the malware and communications contains errors indicative of non-native or automated translation.
Beyond encryption, Check Point observed Sicarii performing credential harvesting, network reconnaissance, vulnerability scanning, and data exfiltration, indicating the operation includes tooling atypical to financially motivated ransomware. “Sicarii significantly raises the risk profile of ransomware incidents, shifting the impact from financial extortion to potential permanent data loss and prolonged business disruption,” Grover added. “In regulated industries, this can further escalate compliance, legal, and operational consequences.”