New 'Sicarii Ransomware' RaaS Emerges, Targeting U.S. Manufacturing

Executive Summary

Cybersecurity researchers at CYFIRMA have identified a new ransomware-as-a-service (RaaS) operation named Sicarii Ransomware. The group, which has been active since at least late 2025, was discovered during monitoring of underground forums. The Sicarii operation is currently focused on targeting organizations in the manufacturing sector within the United States. The malware payload encrypts files using AES-GCM and appends the .sicarii extension. Notably, the malware also includes capabilities to collect system information and credentials, indicating a likely double-extortion model where data is both encrypted and exfiltrated for leverage. The emergence of a new RaaS group highlights the persistent and evolving nature of the ransomware threat.

Threat Overview

Sicarii Ransomware operates on a RaaS model, where the core developers provide the malware and infrastructure to affiliates, who then carry out the attacks in exchange for a share of the ransom payments. This model allows for rapid scaling of attack volume.

Threat Actor: The group calls itself Sicarii, a name with historical connotations of assassins.
Targeting: Current intelligence indicates a specific focus on the U.S. manufacturing industry. This sector is often targeted due to its low tolerance for downtime and the potential for significant disruption.
Malware: The ransomware binary is designed for Windows systems. It encrypts files and appends the .sicarii extension. It also has information-stealing capabilities.

Initial access vectors are not specified but are likely to include common methods such as phishing, exploitation of vulnerable public-facing services (like RDP or VPNs), or purchase of access from initial access brokers.

Technical Analysis

The Sicarii malware performs several actions upon execution:

Credential and Information Gathering: Before encryption, the malware collects system information (e.g., OS version, hostname, user details) and searches for stored credentials. This data is likely exfiltrated to the attackers. This aligns with T1005 - Data from Local System and T1552 - Unsecured Credentials.
Defense Evasion: Like most modern ransomware, it will likely attempt to stop security-related services and processes and delete Volume Shadow Copies to prevent easy recovery. This is a form of T1489 - Service Stop and T1490 - Inhibit System Recovery.
Encryption: The core function is file encryption using the AES-GCM symmetric encryption algorithm. GCM (Galois/Counter Mode) provides both confidentiality and authenticity, making it a strong choice. This is the final impact, T1486 - Data Encrypted for Impact.
Ransom Note: After encryption, a ransom note is dropped on the system, providing instructions on how to contact the attackers and pay the ransom.

The inclusion of data gathering capabilities strongly suggests a double-extortion strategy. The attackers will threaten to leak the stolen data on a dedicated leak site if the ransom is not paid.

Impact Assessment

A successful attack by Sicarii Ransomware can have a devastating impact on a manufacturing organization.

Operational Halt: Encryption of critical systems, such as those controlling production lines, enterprise resource planning (ERP), or logistics, can bring all manufacturing operations to a complete standstill.
Financial Loss: The financial impact includes the cost of the ransom (if paid), revenue lost during downtime, and the significant expense of incident response and system restoration.
Data Breach: The exfiltration of data constitutes a data breach. If this data includes intellectual property (e.g., product designs, chemical formulas) or employee PII, the long-term damage can be severe.
Supply Chain Disruption: A halt in production at one manufacturing company can have a cascading effect on its customers and suppliers, causing broader supply chain disruption.

Cyber Observables for Detection

Defenders should hunt for indicators associated with ransomware activity.

Type

file_name

Value

*.*.sicarii

Description

The file extension appended to encrypted files. The presence of files with this pattern is a definitive indicator of compromise.

Type

command_line_pattern

Value

vssadmin.exe delete shadows /all /quiet

Description

A common command used by ransomware to delete backups. This is a high-confidence indicator.

Type

process_name

Value

(Ransomware binary)

Description

Monitor for the execution of new, unsigned executables in user profiles or temporary directories.

Type

network_traffic_pattern

Value

Large outbound data transfer

Description

A spike in outbound data transfer prior to encryption activity can indicate data exfiltration for double extortion.

Detection & Response

Behavioral Detection: Use an EDR solution with anti-ransomware capabilities. These tools are designed to detect and block the characteristic behaviors of ransomware, such as mass file encryption, regardless of the specific malware family.
File Canaries: Place decoy files (canaries) on file shares and critical servers. Configure alerts to trigger immediately if these files are modified or encrypted, providing an early warning of an attack.
Data Exfiltration Monitoring: Monitor network egress points for unusually large data uploads to cloud storage providers or other unexpected destinations.
D3FEND Techniques: The most effective detection is through File Content Rules (D3-FCR) and Process Analysis (D3-PA) in an EDR. These can identify the rapid file modification behavior and terminate the malicious process.

Response: Upon detection of ransomware activity, immediately isolate the affected hosts from the network to prevent its spread. Activate the incident response plan and engage with third-party experts if necessary. Do not power off the machine until a decision is made about forensic evidence collection.

Mitigation

Standard ransomware defenses are effective against new groups like Sicarii.

Offline/Immutable Backups: This is the most critical defense. Maintain a robust backup strategy with offline, air-gapped, or immutable copies of critical data. Regularly test the restoration process.
Network Segmentation: Segment the network to separate critical manufacturing (OT) environments from the corporate (IT) network. This can prevent a ransomware attack on the IT side from crippling production.
Secure Remote Access: Harden all remote access points. Enforce multi-factor authentication (MFA) on all VPN and RDP connections. Do not expose RDP directly to the internet.
Patch Management: Promptly patch vulnerabilities in public-facing systems and software, as these are common entry points for ransomware affiliates.
User Training: Train users to recognize and report phishing emails, which are a primary initial access vector.

To gain early warning of a ransomware attack in progress, organizations should deploy decoy objects, also known as honeyfiles or canaries. These are files placed on network shares and servers that have no legitimate business use. For a manufacturing company, these could be files named 'production_schedule_Q3.xlsx' or 'machine_calibration_data.csv'. File integrity monitoring (FIM) or EDR solutions should be configured to generate a critical, high-priority alert the instant one of these decoy files is accessed, modified, or encrypted. Since no legitimate user or process should ever touch these files, any interaction is a high-fidelity indicator of malicious activity, likely a ransomware payload beginning its encryption routine. This can provide the security team with the crucial minutes needed to isolate the affected host and prevent the attack from spreading across the entire network.

New 'Sicarii Ransomware' Ransomware-as-a-Service (RaaS) Operation Identified