Funksec AI Ransomware Double-extorts 85 Victims

Researchers in cybersecurity have shed light on the FunkSec ransomware family, a new artificial intelligence (AI)-assisted ransomware strain that first appeared in late 2024 and has since claimed over 85 victims.

According to a new investigation provided to The Hacker News by Check Point Research, the gang employs double extortion techniques, combining encryption and data theft to coerce victims into paying ransoms. Notably, FunkSec offered stolen data to third parties at discounted pricing and sought ransoms that were abnormally cheap, sometimes as low as $10,000.

To “centralize” its ransomware operations, FunkSec created its data leak site (DLS) in December 2024. The site highlighted breach announcements, a proprietary tool for launching distributed denial-of-service (DDoS) assaults, and a custom malware as part of a ransomware-as-a-service (RaaS) model.

Most of the victims live in Brazil, Israel, Spain, Mongolia, India, Italy, and the United States. According to Check Point’s investigation of the group’s activities, it might be the work of inexperienced players looking to gain popularity by reusing the material that was leaked in earlier hacktivist-related releases.

FunkSec stands out, according to Halcyon, since it sells stolen data to potential customers for $1,000 to $5,000 while simultaneously operating as a ransomware organization and data broker.

It was discovered that some RaaS members had engaged in hacktivist activities, underscoring the continued blurring of the boundaries between hacktivism and cybercrime at a time when nation-state actors and organized cybercriminals are increasingly exhibiting an unsettling convergence of tactics, techniques, and even goals.

They also claim to be aiming at the US and India, claiming to support the “Free Palestine” campaign and trying to build ties with now-defunct hacktivist groups like Ghost Algeria and Cyb3r Fl00d. A list of some of the popular actors linked to FunkSec is provided below:

• The organization has been pushed on underground forums like Breached Forum by Scorpion, also known as DesertStorm, a suspected actor from Algeria.
• Following DesertStorm’s expulsion from Breached Forum, El_farado became a prominent spokesperson for FunkSec advertisements.
• XTN, a probable associate engaged in an unidentified “data-sorting” service
• Along with El_farado, Blako has been tagged by DesertStorm.
• Bjorka is a well-known hacktivist from Indonesia whose moniker has been used to claim leaks on DarkForums that were credited to FunkSec, either indicating a loose affiliation or their attempts to pass for FunkSec.

The presence of DDoS attack tools and those linked to password generation and remote desktop administration (JQRAXY_HVNC) raises the possibility that the company is also experimenting with hacktivist tactics.

Check Point pointed out that the group’s tools, including the encryptor, were most likely created with AI assistance, which might have helped with their rapid iterations, despite the author’s apparent lack of technical expertise.

The most recent ransomware version, FunkSec V1.5, is written in Rust, and the artifact was posted from Algeria to the VirusTotal website. References to FunkLocker and Ghost Algeria can be found in the ransomware notes of older malware variants. It appears that the threat actor is from Algeria because the majority of these specimens were uploaded from that nation, probably by the creators themselves.

Prior to encrypting the targeted files and recursively iterating over all folders, the ransomware malware elevates privileges, disables security measures, removes shadow copy backups, and ends a hard-coded list of processes and services.

Sergey Shykevich, the threat intelligence group manager at Check Point Research, said in a statement that 2024 was a very successful year for ransomware groups, but that various hacktivist groups were also encouraged by the world crises.

The line between hacktivism and cybercrime is blurred by FunkSec, a new gang that recently became the most active ransomware outfit in December. Though the actual effectiveness of their operations is still very doubtful, FunkSec, motivated by both political goals and commercial motivations, uses artificial intelligence (AI) and repurposes previous data leaks to create a new ransomware brand.

The development coincides with Forescout’s description of a Hunters International attack that most likely used Oracle WebLogic Server as a point of entry to drop a China Chopper web shell. This shell was then used to carry out a number of post-exploitation tasks that finally resulted in the ransomware’s deployment.

Once inside, the attackers mapped the network and escalated privileges through reconnaissance and lateral movement, according to Forescout. For lateral movement, the attackers employed a range of standard administrative and red teaming tools.