The digital landscape is under perpetual siege, and the emergence of new, ideologically-driven ransomware operations adds a critical dimension to an already complex threat environment. In December 2025, a novel ransomware-as-a-service (RaaS) group named Sicarii surfaced, distinguishing itself not only through its aggressive tactics but also by its explicit use of Hebrew language, Israeli symbols, and references to historical Jewish groups in its branding. This presents a unique challenge, moving beyond purely financial motivations and injecting a layer of geopolitical or ideological messaging into the ransomware threat model. Understanding Sicarii’s methods, particularly their targeting of exposed Remote Desktop Protocol (RDP) services and attempts to exploit Fortinet devices, is paramount for bolstering organizational defenses.

The Evolution of Sicarii: Ideology Meets Extortion

Sicarii, a name invoking ancient Jewish zealots, made its debut on underground forums, immediately signaling its distinct identity. Unlike the typical ransomware cartels focused solely on monetary gain, Sicarii’s branding incorporates Hebrew, Israeli national symbols, and allusions to historical Jewish groups. While the primary goal remains extortion, this distinctive flavoring suggests a potential ideological underpinning or a strategic attempt to project a specific image. This deviation from purely financial objectives introduces an element of unpredictability often associated with hacktivist groups, despite operating within the RaaS framework.

Primary Attack Vectors: Exposed RDP and Fortinet Exploitation

Sicarii’s modus operandi, as observed by cybersecurity analysts, primarily revolves around two critical entry points:

• Exposed RDP Services: Remote Desktop Protocol remains a perennial favorite for threat actors due to its common misconfigurations and the ease with which weak credentials can be brute-forced or compromised. Sicarii leverages the widespread exposure of RDP ports to gain initial access to target networks. Once inside, they can move laterally, escalate privileges, and ultimately deploy their ransomware payload. It underscores the critical need for robust RDP security measures, including multi-factor authentication (MFA) and strict access controls.
• Fortinet Device Exploitation: Beyond RDP, Sicarii has demonstrated an interest in compromising Fortinet devices. While the specific vulnerabilities exploited are not detailed in the initial reports, this indicates a strategic targeting of network perimeter devices. Fortinet, a leading provider of network security solutions, is a high-value target because exploiting its devices can grant attackers deep access to an organization’s network infrastructure, bypass existing defenses, and facilitate wider compromise. Organizations utilizing Fortinet products must remain hyper-vigilant about patching and monitoring for exploitation attempts, particularly for vulnerabilities such as CVE-2023-27997 affecting FortiGate SSL VPN or CVE-2022-42475 in FortiOS SSL-VPN.

The RaaS Model: Business of Cybercrime

Sicarii operates as a Ransomware-as-a-Service, a notorious business model in the cybercrime underground. This means:

• Developers and Affiliates: The core Sicarii team likely develops and maintains the ransomware code, along with associated infrastructure (payment portals, communication channels). They then recruit “affiliates” who are responsible for gaining initial network access, deploying the ransomware, and negotiating with victims.
• Profit Sharing: In a typical RaaS arrangement, affiliates pay a commission to the developers for each successful ransom payment. This model drastically lowers the barrier to entry for aspiring cybercriminals, as they don’t need highly sophisticated malware development skills to participate in lucrative ransomware attacks.

This structure allows Sicarii to rapidly scale its operations and impact a wider range of victims, leveraging the expertise of numerous independent actors for initial compromise.

Remediation Actions and Proactive Defenses

Defending against operations like Sicarii requires a multi-layered, proactive approach. Here are critical steps organizations should take:

• Secure RDP Services:
  • Enable Multi-Factor Authentication (MFA) for all RDP access.
  • Restrict RDP access to a specific list of trusted IP addresses via firewall rules.
  • Use strong, unique passwords and regularly rotate them.
  • Monitor RDP logs for suspicious activity, such as multiple failed login attempts or access from unusual geographic locations. Consider placing RDP behind a VPN.
• Patch and Update Fortinet Devices:
  • Regularly apply security patches and firmware updates to all Fortinet appliances (FortiGate, FortiAnalyzer, FortiClient, etc.). Subscribe to Fortinet’s security advisories.
  • Implement robust network segmentation to limit the blast radius if a Fortinet device is compromised.
  • Monitor Fortinet device logs for unusual activity, configuration changes, or signs of compromise.
  • Disable unused services and ports on Fortinet devices.
• Implement a Robust Backup Strategy:
  • Maintain regular, immutable backups of all critical data.
  • Store backups offline or in an isolated environment to prevent them from being encrypted by ransomware.
  • Test backup restoration procedures periodically to ensure their effectiveness.
• Enhance Endpoint Detection and Response (EDR):
  • Deploy EDR solutions across all endpoints to detect and respond to malicious activity, including ransomware deployment attempts.
  • Ensure EDR agents are up-to-date and properly configured.
• Perform Regular Vulnerability Assessments and Penetration Testing:
  • Identify and remediate potential weaknesses before attackers can exploit them.
  • Focus on externally facing services and critical internal assets.
• Employee Security Awareness Training:
  • Train employees to recognize phishing attempts and other social engineering tactics that can lead to initial compromise.
  • Emphasize the importance of strong passwords and reporting suspicious activity.

Essential Tools for Detection and Mitigation

Leveraging the right tools can significantly enhance an organization’s defense posture against threats like Sicarii.

Tool Name	Purpose	Link
Nmap	Network scanning and port discovery, identifying exposed RDP services.	https://nmap.org/
Nessus	Vulnerability scanning for identifying known vulnerabilities in Fortinet devices and other network assets.	https://www.tenable.com/products/nessus
Trellix EDR (formerly FireEye)	Endpoint detection and response for real-time threat monitoring and incident response.	https://www.trellix.com/en-us/assets/edr.html
FortiAnalyzer	Centralized logging and reporting for Fortinet security devices, critical for monitoring for anomalies.	https://www.fortinet.com/products/management/fortianalyzer
Backup Tools (e.g., Veeam, Rubrik)	Ensuring secure, immutable backups for rapid recovery post-ransomware attack.	https://www.veeam.com/, https://www.rubrik.com/

Insights Moving Forward

The emergence of Sicarii highlights a concerning trend where cybercrime begins to entwine with potential ideological messaging, even within the financially motivated RaaS model. Organizations must move beyond generic security postures and adopt strategies specifically designed to counter groups that target critical infrastructure and widely used services like RDP and network appliances. Continuous vigilance, adherence to best practices, and proactive threat intelligence are not merely recommendations; they are essential for survival in this evolving threat landscape.