FunkSec: A Top Ransomware Group Leveraging AI
I. Targeted Entities
- Government
- Healthcare
- Manufacturing
- Media
- Technology
II. Introduction
An emerging ransomware group known as FunkSec, appeared in late 2024, compromising over 85 victims in December, more than any ransomware group that month. FunkSec is a new Ransomware-as-a-Service (RaaS) actor focusing on bolstering its malware with the use of Artificial Intelligence (AI). These threat actors are said to be amateurs demanding unusually low ransoms with the threat of posting victims data on FunkSec’s data leak site (DLS). On this DLS, companies are listed as they become compromised. The site also hosts many malicious tools including a free Distributed Denial of Service (DDoS) tool.
Some members of the FunkSec group have appeared in other hacktivist activities and claim to mainly target the United States and India. New Jersey Cybersecurity & Communications Integration Cell (NJCCIC), Recorded Future-– a leading threat intelligence platform, and Broadcom-–a semiconductor and software company, have all released reports urging organizations to stay ahead of the threat. They recommend implementing a defense-in-depth strategy using multiple layers of security, backing up systems, and keeping systems updated and patched.
Ransomware-as-a-service double extortion aims to put more emphasis on paying the ransom as double extortion not only encrypts the data but also copies and exfiltrates it. Threat actors then threaten to leak this data if the ransom isn’t paid. In traditional ransomware good backups of data can defeat ransomware and recover without payment
III. Additional Background Information
In December 2024, FunkSec ransomware group appeared to compromise its first 11 victims sparking immediate interest for security researchers and news outlets. After further investigation of the malware, FunkSec V1.5, originated from Algeria and showed many indications of AI use. The use of AI allowed the group to rapidly iterate this ransomware and create its tools which implies the attackers lack technical expertise. The group is said to seek recognition and visibility as they appear to demand ransoms as low as $10,000. Evidence also indicates that some of the leaked information posted to their DLS was recycled from previous hacktivist-related leaks which raises questions about its authenticity.
Although limited information is available currently, the exploit seems to start with tactics that are defined in the MITRE ATT&CK framework, specifically T1193, T1203, and T1189. T1193 – Spear Phishing Attachment, indicates that adversaries are using a series of spear phishing campaigns to infect systems with ransomware after clicking on email attachments imbedded with malicious macros. T1203 – Exploitation of Client-Side Vulnerabilities, allow attacker to take advantage of a vulnerability within a system and gain access through an exploit of that vulnerability. T1189 – Drive-by Compromise, allows attacker to plant malicious objects within websites and advertisements to lure victims into interacting with these objects. Once the user has initiated an access vector, the system becomes infected, all files are encrypted and cannot be opened until the ransom is paid.
Previous ransomware campaigns that involve such exploitation bring major concern although this attack highlights a new threat as the use of AI clearly elevates the severity of such attacks. FunkSec is found to use AI in its creation of a malicious DDoS tool, pieces of redundant code that call the binaries multiple times, and the extensive perfect English comments. FunkSec’s broad adaption across many attack vectors makes them capable of exploiting many people and organizations through rapid iterations of this malware and evading defenses. These attacks could bring down companies within all industries.
Organizations are strongly urged to maintain proper security practices. These practices should include security awareness training, applying the latest patches and monitoring for indicators of compromise (IoC). Furthermore, safe searching practices should be enforced, urging the practice of only downloading materials from official and trustworthy channels. Failure to follow these procedures could result in severe disruptions and data breaches.
IV. MITRE ATT&CK
- T1193 – Spear Phishing Attachment
FunkSec V1.5 can gain initial access through a spear phishing campaign. These campaigns can be in various forms such as an email containing a malicious attachment or a malicious link outlined in 001- Phishing: Spear Phishing Link. This allows attackers to gain access to the system after a download has been completed, a file is opened, or a link clicked. - T1203 – Exploitation for Client Execution
The adversary can also exploit vulnerabilities within applications and software to run their malicious executables. - T1189 – Drive-by Compromise
These threat actors also leverage torrent websites that impersonate useful tools to trick users into downloading the ransomware to gain initial access. This allows attackers to compromise a system through a user visiting a website over normal browsing. This tactic requires exploitation of an established website or the creation of a new website to lure victims in. - T1204 – User Execution
From the limited information provided, this ransomware group requires user execution of its malware through various vectors. Once the user opens the file, accesses a file within a website, or interacts with a malicious advertisement, the exploit will take place. - T1059 – Command and Scripting Interpreter
Once FunkSec V1.5 is executed, the devices wallpaper will turn black and encryption of each file will commence while a README note is added that will notify user that the victim’s organization has been attacked resulting in all files being encrypted and stolen. The malware recursively encrypts all directories using WriteFileEx to write the encrypted content back to disk and CryptGenRandom to generate cryptographic keys or initialization vectors. Refusal to pay or tampering with the files or network such as contacting the authorities or using anti-virus (AV) tools will result in exfiltrated content being sold. - T1071 – Application Layer Protocol
As the malware moves iterates through each letter drive, recursively encrypting all files and directories, a ransom note is displayed on desktop including a link for payment. This indicates the use of application layer protocols such as HTTPS and Command & Control, used to transfer payment by accessing hxxps://getsession[.]org with a given session key. - T1053 – Scheduled Task/Job
Within this code there are also multiple hard coded constants such as “RansomwarePassword123” used during encryption which can indicate scheduled or timed tasks to ensure persistence. - T1548 – Abuse Elevation Control Mechanism
This malware attempts check for elevated privileges by executing net session. If not successful, it tries to relaunch itself with elevated privileges using “start-process -wait Verb runas -filepath ‘%~nx0’ -ArgumentList ‘<arguments>’”. - T1562.001 – Impair Defenses: Disable or Modify Tools
Once the ransomware has elevated privileges it moves to evade defenses by disabling all security mechanisms within the device. These security mechanisms include Windows Defender, security event logging, application event logging, and disabling restrictions placed by PowerShell execution policy. These actions take place through a series of commands such as “Set-MpPreference -DisableRealtimeMonitoring $true” and “Set-ExecutionPolicy Bypass -Scope Process -Force”. These techniques allow for a smaller file detection footprint, making it harder to identify during data exfiltration stages. - T1486 – Data Encrypted for Impact
While all security mechanisms are being disabled, the rust based malware works to encrypt all files and appends them with the file type “.funksec”. Typical ransomware only calls binary once although this is repeated in FunkSec V1.5 code a total of 5 times, where control flow repeats itself and calls functions multiple times through various execution paths. This can be done due to lack of experience, the use of AI, or the intention to obfuscate the malware’s main functionality. - T1489 – Service Stop
After data is encrypted it moves onto stopping all processes. It accomplishes this by executing “terminate processes” which is hard coded with 50 common processes and services such as taskmgr, eventlog, python, winmgmt, and many common software applications. This technique makes the system practically unusable, impacting the organization’s operations. - T1490 – Inhibit System Recovery
Its final step is to recursively loop through all directories and files, deleting any shadow copy backups. This impacts the organization by deleting all necessary backups to restore normal operation. - TA0010 – Exfiltration
If the ransom is not paid all data will be exfiltrated and sold to third parties
V. Recommendations
- Implement a Defense-In-Depth Strategy:
- Implement many different layers of security. FunkSec is known to use phishing campaigns and exploit vulnerabilities. Implement proper email security, such as filters and phishing detection software as well as enabling multifactor authentication. Security awareness training and regular updates or patches to all systems will also help prevent FunkSec’s ransomware. Other layers to implement include Endpoint Detection and Response (EDR) software, firewalls, and robust Anti-Virus (AV) to all devices and systems.
- Preform Regularly Scheduled Backups & Audits:
- Preform both online and offline backups. Preforming both will ensure that copies of data are in various locations, one of which being inaccessible to the attacker. Regular security audits are essential to stay ahead of security vulnerabilities by identifying potential weakness ransomware can exploit and patching accordingly.
- Monitor for Compromise Indicators (IoCs):
- Check network traffic and system logs often for known IoCs linked to this attack, such as file paths, flagged IP addresses, MD5 hash values, and log entries that might point to exploitation (see to the IoCs section for references). To improve detection capabilities, incorporate these IoCs into SIEM or IDS/IPS systems.
- Establish an Incident Response Plan:
- Create or revise an incident response plan that includes steps for handling FunkSec ransomware. The reaction team is equipped and trained to deal with any possible breaches due to ransomware.
- Isolate Compromised Systems:
- Isolate compromised systems right away to stop additional access or harm if any indications of compromise are found. Notify the affected parties and carry out a comprehensive investigation, eliminating any malware or backdoors.
VI. IOCs (Indicators of Compromise)
| Type | Indicator |
|---|---|
| SHA-256 Hash |
c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c |
| SHA-256 Hash |
66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd |
| SHA-256 Hash |
dcf536edd67a98868759f4e72bcbd1f4404c70048a2a3257e77d8af06cb036ac |
| SHA-256 Hash | b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb |
| SHA-256 Hash | 5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd |
| SHA-256 Hash | e622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22 |
| SHA-256 Hash | 20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d |
| SHA-256 Hash | dd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966 |
| SHA-256 Hash | 7e223a685d5324491bcacf3127869f9f3ec5d5100c5e7cb5af45a227e6ab4603 |
| Source Code File | *ransomware.rs* |
| File Extension | (.funksec) |
| FunkSec Scorpion Domain | hxxps://miniapps[.]ai/funksec |
| FunkSec Malware Hosting | hxxps://gofile[.]io/d/8FOSeP |
| FunkSec DLS | hxxp://funknqn44slwmgwgnewne6bintbooauwkaupik4yrlgtycew3ergraid[.]onion/ |
| FunkSec DLS | hxxp://funkiydk7c6j3vvck5zk2giml2u746fa5irwalw2kjem6tvofji7rwid[.]onion/ |
VII. Additional OSINT Information
Image 1 of FunkSec’s AI Scorpion
Hybrid Analysis Falcon Sandbox Results
Image 2 of FunkSec’s AI Scorpion
Hybrid Analysis Falcon Sandbox Results
Image 3 of FunkSec Malicious Phishing Site Analysis
Hybrid Analysis Falcon Sandbox Results
Image 4 of FunkSec DLS
Check Point Research. (2025a). FunkSec data leak site. Retrieved 2025.
Image 5 of FunkSec Ransomware Note
Check Point Research. (2025a). FunkSec ransomware note. Retrieved 2025.
Associated Threat Actors:
Scorpion: Prominent member of FunkSec, uses multiple aliasas such as DessertStorm.
El_farado: Promotes FunkSec making sure this group stays visible.
Associated Hacktivist Groups:
-Ghost Algeria: Made evident in a ransom note similar to FunkSec’s.
-Cyb3r Fl00d: Old group based on a screenshot.
Artificial Intelligence (AI) Indicators:
-Very well structured and formatted comments and code, as well as the publication of an AI chatbot named Scorpion.
VIII. References
Dulaunoy, A., Fafner, & Harper, T. (n.d.). RansomLook . RansomLook. https://www.ransomlook.io/
Antoniuk, D. (2025, January 10). New amateurish ransomware group FunkSec using AI to develop malware. Cyber Security News | The Record. https://therecord.media/funksec-ransomware-using-ai-malware
Arghire, I. (2025, January 13). Emerging FUNKSEC ransomware developed using AI. SecurityWeek. https://www.securityweek.com/emerging-funksec-ransomware-developed-using-ai/
Check Point Research. (2025, January 9). Meet FunkSec: A new, surprising ransomware group, powered by ai. Check Point Blog. https://blog.checkpoint.com/research/meet-funksec-a-new-surprising-ransomware-group-powered-by-ai/
Check Point Software. (2024, February 8). What is double extortion ransomware?. Check Point Software. https://www.checkpoint.com/cyber-hub/ransomware/what-is-double-extortion-ransomware/
FunkSec RaaS Dominates the Ransomware Landscape in December. Cyber.nj.gov. (2025, January 16). https://www.cyber.nj.gov/Home/Components/News/News/1574/214?rq=emotet
FUNKSEC ransomware. Broadcom Inc. (2025, January 9). https://www.broadcom.com/support/security-center/protection-bulletin/funksec-ransomware
Hollingworth, D. (2025, January 14). Inside FunkSec, the self-taught hackers supported by Ai Code. Cyber Daily. https://www.cyberdaily.au/security/11575-inside-funksec-the-self-taught-hackers-supported-by-ai-code
Infosecurity Magazine. (2025, January 13). New Ransomware Group uses AI to develop Nefarious Tools. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/new-ransomware-group-uses-ai/
Lakshmanan, R. (2025, January 11). Ai-driven ransomware FUNKSEC targets 85 victims using double extortion tactics. The Hacker News. https://thehackernews.com/2025/01/ai-driven-ransomware-funksec-targets-85.html
LevelBlue – Open Threat Exchange. LevelBlue Open Threat Exchange. (n.d.). https://otx.alienvault.com/pulse/678127dbf6bb4958da4254cd/
MalwareBazaar Database-funksec. MalwareBazaar. (2025). https://bazaar.abuse.ch/browse/tag/funksec/
Meskauskas, T. (2025, January 13). Funklocker (FunkSec) ransomware. FunkLocker (FunkSec) Ransomware – Decryption, removal, and lost files recovery (updated). https://www.pcrisk.com/removal-guides/31853-funklocker-funksec-ransomware
Mitre ATT&CK®. MITRE ATT&CK®. (n.d.). https://attack.mitre.org/
Price, A. (2024, December 4). Take me down to FUNKSEC town: Funksec ransomware DLS Emergence . CYJAX. https://www.cyjax.com/resources/blog/take-me-down-to-funksec-town-funksec-ransomware-dls-emergence/
Reynolds, I. (2025, January 11). FUNKSEC: The emergence of ai-driven ransomware threats. SecureTeam. https://secureteam.co.uk/news/funksec-the-emergence-of-ai-driven-ransomware-threats/
Stcpresearch. (2025, January 10). FunkSec – alleged top ransomware group powered by ai. Check Point Research. https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
Tag funksec. ThreatFox. (n.d.). https://threatfox.abuse.ch/browse/tag/funksec/
Check Point Research. (2025, January 15). FunkSec: The rising yet controversial ransomware threat actor dominating December 2024. Check Point Blog. https://blog.checkpoint.com/research/funksec-the-rising-yet-controversial-ransomware-threat-actor-dominating-december-2024/
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Timothy Kircher
