Halcyon's Ransomware Research Center has identified a significant flaw in the Sicarii ransomware's decryption process, making it ineffective even if victims pay the ransom. The malware generates a new RSA key pair for each encryption instance but discards the private key, leaving no viable decryption path. This means that victims who pay the ransom are unlikely to recover their data. Despite the general advice against paying ransom, the situation is aggravated as even those who comply may end up with permanently locked files. Sicarii, which emerged as a ransomware-as-a-service offering recently, claims a connection to Israeli/Jewish identity, using Hebrew symbols and language. However, researchers report that its online operations are primarily in Russian, casting doubt on the authenticity of its stated identity. The group has reportedly targeted small businesses, with claims of having compromised three to six victims, all of whom allegedly paid the ransom. Yet, the reliability of these claims is questionable, as Sicarii exhibits signs of inexperience, such as requesting "ransomware APKs" in public chats. Experts suggest that the subpar coding and flawed key management indicate potential use of AI-assisted tooling in its development, which may have contributed to the decryption failure. Halcyon's Cynthia Kaiser notes that such failures are rare but not unheard of. Tammy Harper from Flare adds that this kind of issue is more common among newer, less experienced groups. Organizations facing Sicarii attacks are urged to exercise extreme caution before considering any ransom payments. They should focus on restoring operations through alternate recovery methods, including maintaining backups and engaging experienced incident-response services.