Emerging FunkSec Ransomware Developed Using AI – Source: www.securityweek.com

An emerging ransomware group named FunkSec has risen to fame after claiming responsibility for attacks on more than 80 victims in December 2024, Check Point reports.

FunkSec appears to be involved in both hacktivism and cybercrime activities and its members are likely inexperienced threat actors currently looking to gain visibility and recognition, Check Point’s investigation into the group shows.

Written in Rust, the file-encrypting malware was likely created with the help of AI, by an inexperienced malware developer from Algeria, who also uploaded some of the ransomware’s source code online, the cybersecurity firm says.

Operating under the ransomware-as-a-service (RaaS) business model, the group engages in double extortion, threatening to release stolen information to pressure victims into paying a ransom.

FunkSec is adding victims on a data leak site that was launched in December 2024, which also features a custom distributed denial-of-service (DDoS) tool, a smart password generation and scraping tool, and a hidden virtual network computing (hVNC) module the group claims to be fully undetected.

The FunkSec name was initially introduced in October 2024 by a threat actor using the monikers of Scorpion and DesertStorm, and was later promoted by a potential associate, El_Farado. Other threat actors – XTN, Blako, and Bjorka – are likely connected to Scorpion and FunkSec.

Check Point also discovered that the group’s members linked the ransomware development to AI in some of their public messages, and that they released an AI chatbot based on Miniapps, to support their malicious operations.

“The individuals behind FunkSec appear to have extensively leveraged AI to enhance their capabilities, as evidenced by their publications and tools. Their public script offerings include extensive code comments with perfect English (as opposed to very basic English in other mediums), likely generated by an LLM agent,” Check Point says.

When executed, the FunkSec ransomware runs a series of commands to disable security features such as Windows Defender’s real-time protection, application and security event logging, and PowerShell execution restrictions, and to delete shadow copy backups.

The malware also targets roughly 50 processes for termination, and then begins searching for files to encrypt, adding the ‘.funksec’ extension to them, after which it writes a ransom note to the disk.

The ransomware gang demands low ransom payments, sometimes as low as $10,000, and was observed selling the allegedly stolen information to other threat actors at discounted prices.

Regarding the group’s involvement in hacktivist campaigns, which might aim to boost its credibility, the targeting of India and the US aligns with the Free Palestine movement. In addition, the hackers have associated themselves with defunct hacktivist groups such as Ghost Algéria and Cyb3r Fl00d.

“FunkSec’s data leaks often recycle information from previous hacktivist campaigns, casting doubt on the authenticity of their claims. Despite these limitations, their Tor-based operations and low ransom demands have drawn widespread attention in cybercrime forums,” Check Point notes.

Related: Critical Infrastructure Ransomware Attack Tracker Reaches 2,000 Incidents

Related: US Aid Office in Colombia Reports Its Facebook Page Was Hacked

Related: Pitfalls to Avoid in Ransomware Incident Response Plans

Related: Researchers Demonstrate Ransomware Attack on Robots