AI-Led Reconnaissance & Ransomware (Generic Auto Sector)
BLUF
Threat actors are using AI-driven autonomous agents to map automotive supply chain vulnerabilities at lightning speed, leading to increased ransomware incidents (e.g., Scarii) that cripple Just-In-Time (JIT) manufacturing.
Executive Cost Summary
This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.
For organizations affected by AI-led reconnaissance and destructive ransomware targeting automotive manufacturing and supply chain operations:
· Low-end total cost: $3.5M – $7M
o (early containment, limited plant disruption, minimal downstream supplier impact)
· Typical expected range: $8M – $18M
o (multi-day production outage, partial data loss, coordinated recovery effort)
· Upper-bound realistic scenarios: $25M – $45M
o (extended plant downtime, unrecoverable data, regulatory and supplier escalation)
Key Cost Drivers
· Duration of production downtime in JIT manufacturing environments
· Scope of irreversible data loss due to non-recoverable encryption
· Number of interconnected Tier 2/3 suppliers impacted simultaneously
· Regulatory exposure across EU/UK data protection regimes
· Insurance coverage gaps for destructive (non-extortion-recoverable) events
Targeted Sectors
· Automotive Manufacturing
· Tier 2/3 Suppliers
Targeted Countries
· Global
o Significant activity in EU/UK
Date of First Reported Activity
· January 2026 (ongoing)
Date of Last Reported Activity Update
· February 2, 2026
APT Names
· This doesn’t appear to be associated with a state sponsored APT group at this time
Associated Criminal Orgs
· Sicarii Ransomware Group
Malware Names
· Sicarii
Malware Family
· Sicarii (emerging RaaS operation)
Known Decoding Key
· None
o This variant contains a critical flaw where it generates fresh RSA key pairs for each execution and then discards the private key, making data recovery impossible even if a ransom is paid.
Verdict
· Highly Malicious / Destructive due to the unrecoverable nature of its encryption.
Primary Objectives
· Data exfiltration
· Credential harvesting
· Network reconnaissance
· File encryption for extortion (though currently non-functional for recovery).
Threat Actor Context
· A group that overtly brands itself with Israeli/Jewish identity and historical symbols (e.g., Haganah emblem), yet conducts underground activity in Russian and uses machine-translated Hebrew. Analysts suggest this may be a false flag or identity manipulation operation.
Behavior Analysis
Encryption
· Uses AES-GCM to encrypt files with the .sicarii extension.
Geo-fencing
· Explicitly checks to avoid execution on Israeli systems.
Exploitation
· Specifically targets vulnerabilities in Fortinet devices for initial access.
AI Indicators
· Technical flaws suggest code may have been "vibe-coded" or developed using poorly implemented GenAI tooling.
TTPs
Initial Access
· T1190 Exploit Public-Facing Application
o Specifically attempts to exploit Fortinet devices using CVE-2025-64446.
· T1133 External Remote Services
o Actively scans for and probes exposed Remote Desktop Protocol (RDP) services.
Persistence
· T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder
o Uses the Registry Run key to ensure the malware executes on startup.
· T1543.003 Create or Modify System Process Windows Service
o Maintains persistence by creating a fake system service named "WinDefender".
· T1136.001 Create Account Local Account
o Creates a new local user account named SysAdmin with the password Password123!.
· T1136.003 Create Account Cloud Account
o Attempts to create a new AWS user for persistent cloud access.
Credential Access
· T1003.001 OS Credential Dumping LSASS Memory
o Attempts to dump the Local Security Authority Subsystem Service (LSASS) to harvest credentials.
· T1555 Credentials from Password Stores
o Collects system credentials
o registry hives
o browser data.
· T1555.003 Credentials from Password Stores Credentials from Web Browsers
o Steals sensitive data from browsers and applications like:
§ Discord
§ Slack
Discovery
· T1046 Network Service Discovery
o Scans the network to map hosts and identify services like RDP.
· T1016 System Network Configuration Discovery
o Enumerates local network configurations to understand the victim's environment.
· T1614.001 System Location Discovery System Language Discovery
o Includes an active geo-fencing check that blocks execution if the system is located in Israel.
Defense Evasion
· T1562.001 Impair Defenses Disable or Modify Tools
o Checks for and terminates active Antivirus (AV) and VPN processes before proceeding with encryption.
· T1036.004 Masquerading Masquerade Task or Service
o Uses the name "WinDefender" for its malicious service to appear legitimate.
Collection & Exfiltration
· T1560.001 Archive Collected Data: Archive via Utility
o Packages all harvested data into a ZIP archive named collected_data.zip.
· T1567.002 Exfiltration Over Web Service Exfiltration to Cloud Storage
o Exfiltrates the staged data to the external service file.io.
Impact
· T1486 Data Encrypted for Impact
o Encrypts files in common directories (Documents, Desktop, etc.) using AES-GCM (256-bit) and appends the .sicarii extension.
· T1491.001 Defacement Internal Defacement
o Modifies the desktop wallpaper to notify the victim.
· T1485 Data Destruction
o Due to a coding flaw, the RSA private keys are discarded, resulting in permanent data destruction.
Suggested rules / potential hunts
As a reminder, these are indicator rules. They are likely to be noisy.
For best results consider creating a data model and reviewing the traffic as a report.
Suricata
· Suspicious AI-Assisted Rapid Scanning (Anomalous SYN Scan)
o Focus: Detects automated, fast-paced Nmap/scanners.
alert tcp any any -> $HOME_NET any (msg:"SURICATA Possible AI-Driven Recon Scan"; flags:S; threshold: type threshold, track by_src, count 100, seconds 1; sid:1000001; rev:1;)
· Potential LLM/AI Tooling Traffic (DNS/HTTP)
o Focus Detects connections to known AI API endpoints or abnormal DNS patterns (e.g., rotating subdomains) often used in reconnaissance.
alert dns $HOME_NET any -> any any (msg:"SURICATA Suspicious AI-Related DNS Query"; dns.query; content:"openai"; nocase; sid:1000002; rev:1;)
· Rule: OT/Industrial Protocol Probing
o Focus: Detects scanning of Modbus/CIP protocols, common in automotive production environments.
alert tcp $EXTERNAL_NET any -> $OT_NET 502 (msg:"SURICATA Modbus Scanning Attempt"; flow:to_server; content:"|00 00 00 00 00 06|"; depth:6; sid:1000003; rev:1;)
SentinelOne
· AI-Led Reconnaissance: Automated Web/Cloud Discovery
o This identifies programmatic attempts (common in AI/automated scripts) to map out your cloud architecture.
Rule Code
sql
EventType = "ApiCall" AND (ActionName contains "ListBuckets" OR ActionName contains "GetBucketLocation")
AND (UserAgent contains "python-requests" OR UserAgent contains "boto3" OR UserAgent contains "Go-http-client")
| group count() by SrcIp, UserAgent
| filter count() > 50
· Massive File Discovery on Network Shares
o Detecting the manual or scripted identification of network shares is a high-fidelity indicator of lateral movement preparation.
Rule Code
sql
ProcessName = "cmd.exe" AND CommandLine contains "net view" OR CommandLine contains "net share"
OR (ProcessName = "powershell.exe" AND CommandLine contains "Get-SmbShare")
| filter ProcessParentName != "explorer.exe"
· Inhibition of System Recovery (Shadow Copy Deletion)
o Standard ransomware tradecraft used to prevent file recovery before the SentinelOne Rollback feature is needed.
Rule Code
sql
(ProcessName = "vssadmin.exe" AND CommandLine contains "delete shadows")
OR (ProcessName = "powershell.exe" AND CommandLine contains "Win32_ShadowCopy" AND CommandLine contains ".Delete()")
OR (ProcessName = "wbadmin.exe" AND CommandLine contains "delete systemstatebackup")
· Rule Title: Suspicious WMI Remote Process Creation
o Detects the use of WMI to execute payloads on remote machines, a common tactic for spreading ransomware after initial reconnaissance.
Rule Code
sql
ProcessName = "wmiprvse.exe" AND ProcessParentName = "svchost.exe"
AND (CommandLine contains "process call create" OR CommandLine contains "powershell -enc")
Splunk
· "Fast-Fail" Reconnaissance Patterns
o Intent: Identify src_ips that generate high-volume alerts in less than 10 seconds.
index=network sourcetype=suricata_eve (signature="*scan*" OR signature="*recon*") | stats count min(_time) as first_seen max(_time) as last_seen by src_ip | where (last_seen - first_seen) < 10 AND count > 50
· Unusual Outbound Traffic from OT/Prod Zone
o Intent: Identify OT assets connecting to the internet (which should rarely happen).
index=firewall tag=network action=allowed src_zone="Production_OT" dest_zone="Internet" | stats count by src_ip, dest_port, service | anomaly
· Hunt: Detection of "Living Off the Land" (LotL) Tools
o Intent Identify fileless malware techniques used after AI recon
index=endpoint sourcetype=WinEventLog:Security EventCode=4688 (ProcessName="powershell.exe" OR ProcessName="cmd.exe" OR ProcessName="wmic.exe") CommandLine="*downloadstring*" OR CommandLine="*encodedcommand*"
Delivery Method
· Exploitation of legacy OT devices and VPN vulnerabilities.
References
Motor Trader
· hxxps://www.motortrader.com/motor-trader-news/automotive-news/cyber-risk-within-automotive-accelerates-with-raised-threat-from-ai-tools-26-01-2026
CyFirma
· hxxps://www.cyfirma.com/news/weekly-intelligence-report-30-january-2026/
Malware Bazaar
· hxxps://bazaar.abuse.ch/sample/c3ab6f04d03da24bf8af3677a00b4e0b308df524ee62d6d44d55f838dbbf1d33/
