The Sicarii ransomware group emerged in December 2025 as a Ransomware-as-a-Service (RaaS) operation, advertising its capabilities across multiple underground forums. The group’s name references the historical Sicarii assassins, and it is distinguished by its explicit use of Israeli symbolism and messaging. As a RaaS, Sicarii provides ransomware tools and infrastructure to affiliates who carry out attacks, enabling scalable and distributed ransomware campaigns. Despite its recent appearance, there are no confirmed active exploits or specific vulnerabilities identified in the wild. The technical details remain limited, with no affected software versions or patch information disclosed. Sicarii ransomware likely employs common ransomware tactics such as initial access via phishing or exploitation of exposed services, followed by lateral movement, data encryption, and ransom demands. The medium severity rating reflects the current lack of active exploitation but acknowledges the potential impact ransomware can have on confidentiality, integrity, and availability of data. The group’s persistent underground presence suggests ongoing development and possible future campaigns. Organizations should be aware of this emerging threat and prepare accordingly.

For European organizations, the Sicarii ransomware poses a risk of data encryption leading to loss of access to critical information, operational downtime, and potential financial losses due to ransom payments or recovery costs. Sectors such as finance, healthcare, manufacturing, and critical infrastructure could be particularly impacted due to their reliance on continuous data availability and operational integrity. The RaaS model increases the likelihood of widespread attacks as affiliates with varying skill levels can deploy the ransomware, potentially increasing attack volume and diversity. The threat could also lead to reputational damage and regulatory consequences under GDPR if personal data is compromised or unavailable. Although no active exploits are currently known, the presence of Sicarii in underground forums indicates a potential for future attacks, necessitating proactive defense measures. The impact is amplified in countries with high digitalization and critical infrastructure exposure.

European organizations should implement targeted ransomware defenses beyond generic advice. These include: 1) Enhancing email security to detect and block phishing attempts, a common ransomware entry vector. 2) Conducting regular backups with offline and immutable storage to ensure recovery without paying ransom. 3) Applying network segmentation to limit lateral movement if an infection occurs. 4) Deploying endpoint detection and response (EDR) solutions capable of identifying ransomware behaviors such as rapid file encryption. 5) Implementing strict access controls and multi-factor authentication to reduce unauthorized access risks. 6) Conducting regular employee training focused on ransomware awareness and incident response. 7) Monitoring underground forums and threat intelligence feeds for updates on Sicarii tactics and indicators of compromise. 8) Developing and testing incident response plans specifically addressing ransomware scenarios. These measures should be integrated into a comprehensive cybersecurity strategy tailored to the organization's risk profile and critical assets.