Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Emerging FunkSec Ransomware Developed Using AI

Developed with the help of AI, the emerging FunkSec ransomware claimed over 80 victims in December 2024.

An emerging ransomware group named FunkSec has risen to fame after claiming responsibility for attacks on more than 80 victims in December 2024, Check Point reports.

FunkSec appears to be involved in both hacktivism and cybercrime activities and its members are likely inexperienced threat actors currently looking to gain visibility and recognition, Check Point’s investigation into the group shows.

Written in Rust, the file-encrypting malware was likely created with the help of AI, by an inexperienced malware developer from Algeria, who also uploaded some of the ransomware’s source code online, the cybersecurity firm says.

Operating under the ransomware-as-a-service (RaaS) business model, the group engages in double extortion, threatening to release stolen information to pressure victims into paying a ransom.

FunkSec is adding victims on a data leak site that was launched in December 2024, which also features a custom distributed denial-of-service (DDoS) tool, a smart password generation and scraping tool, and a hidden virtual network computing (hVNC) module the group claims to be fully undetected.

The FunkSec name was initially introduced in October 2024 by a threat actor using the monikers of Scorpion and DesertStorm, and was later promoted by a potential associate, El_Farado. Other threat actors – XTN, Blako, and Bjorka – are likely connected to Scorpion and FunkSec.

Check Point also discovered that the group’s members linked the ransomware development to AI in some of their public messages, and that they released an AI chatbot based on Miniapps, to support their malicious operations.

“The individuals behind FunkSec appear to have extensively leveraged AI to enhance their capabilities, as evidenced by their publications and tools. Their public script offerings include extensive code comments with perfect English (as opposed to very basic English in other mediums), likely generated by an LLM agent,” Check Point says.

Advertisement. Scroll to continue reading.

When executed, the FunkSec ransomware runs a series of commands to disable security features such as Windows Defender’s real-time protection, application and security event logging, and PowerShell execution restrictions, and to delete shadow copy backups.

The malware also targets roughly 50 processes for termination, and then begins searching for files to encrypt, adding the ‘.funksec’ extension to them, after which it writes a ransom note to the disk.

The ransomware gang demands low ransom payments, sometimes as low as $10,000, and was observed selling the allegedly stolen information to other threat actors at discounted prices.

Regarding the group’s involvement in hacktivist campaigns, which might aim to boost its credibility, the targeting of India and the US aligns with the Free Palestine movement. In addition, the hackers have associated themselves with defunct hacktivist groups such as Ghost Algéria and Cyb3r Fl00d.

“FunkSec’s data leaks often recycle information from previous hacktivist campaigns, casting doubt on the authenticity of their claims. Despite these limitations, their Tor-based operations and low ransom demands have drawn widespread attention in cybercrime forums,” Check Point notes.

Related: Critical Infrastructure Ransomware Attack Tracker Reaches 2,000 Incidents

Related: US Aid Office in Colombia Reports Its Facebook Page Was Hacked

Related: Pitfalls to Avoid in Ransomware Incident Response Plans

Related: Researchers Demonstrate Ransomware Attack on Robots

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.