The FunkSec ransomware group emerged in late2024, quickly gaining attention by claiming responsibility for over 85victims—more than any other ransomware group in December. Positioned as a newRansomware-as-a-Service (RaaS) operation, FunkSec appears to have no ties topreviously identified ransomware gangs, with limited information availableabout its origins or activities.

What is FunkSec Ransomware?

FunkSec is a new AI-driven ransomware strain that leveragesartificial intelligence to enhance the precision, speed, and effectiveness ofits attacks. Unlike traditional ransomware operations, FunkSec employs machinelearning algorithms to:

• Automate reconnaissance: Identify high-value targets and sensitive data with minimal manual effort.
• Enhance encryption: Use AI to implement advanced encryption techniques that are harder to reverse-engineer.
• Personalize attacks: Tailor ransom demands based on the victim's financial standing, industry, and potential reputational impact.

Background

FunkSec is a newly emerging ransomware group that established itsdata leak site (DLS) in December 2024 to streamline its ransomware operations.The group employs double extortion tactics, leveraging both data theft and fileencryption to coerce victims into paying ransoms. Their DLS serves as aplatform for breach announcements and showcases their tools, including acustom-developed DDoS utility and, more recently, a proprietary ransomwareoffered as part of a Ransomware-as-a-Service (RaaS) model.

The Double Extortion Tactics of FunkSec

In a new report "Notably, FunkSec  demanded unusually low ransoms, sometimes as little as $10,000 and sold stolen data to third parties at reduced prices."

Because;-

Doubleextortion has become a favored tactic among ransomware operators, and FunkSectakes it to the next level. Here's how the tactic works:

1. Encrypting Data: FunkSec infiltrates the victim's network and encrypts critical files, rendering them inaccessible.
2. Data Exfiltration: Before encryption, FunkSec uses AI to identify and exfiltrate sensitive data, such as trade secrets, financial records, or customer information.
3. Two-pronged Threat: Victims are then hit with a double threat:
• Pay the ransom to decrypt their files.
• Pay an additional ransom to prevent the publication or sale of their stolen data on the dark web.

How FunkSec Uses AI

AI plays a central role inFunkSec’s operation, giving it a significant edge over traditional ransomware.Below are some key ways AI enhances its capabilities:

1. Automated Vulnerability Exploitation: AI algorithms scan for unpatched vulnerabilities in systems, such as outdated software or weak credentials. This automation allows FunkSec to infiltrate networks faster than human-driven efforts.
2. Dynamic Targeting: Using AI, FunkSec prioritizes victims based on their ability to pay, selecting organizations with high-value assets or critical data.
3. Sophisticated Evasion Techniques: AI enables FunkSec to bypass detection systems by mimicking legitimate network traffic or adapting its behavior in real time.
4. Social Engineering: FunkSec uses AI to craft convincing phishing emails or messages tailored to specific individuals within an organization, increasing the likelihood of successful attacks.

The operators behind FunkSec appear to haveheavily relied on AI to bolster their capabilities, as reflected in theirpublished tools and materials. Their publicly shared scripts feature extensive,well-written code comments in flawless English—an unusual contrast to the basicEnglish typically seen in their other communications. This suggests theinvolvement of a language model (LLM) agent. A similar pattern is evident inthe Rust source code associated with the group’s ransomware, further indicatingthat its development likely benefited from AI assistance.

FunkSec has also launched an AI chatbot builton the Miniapps platform to support their operations. Miniapps is a platformthat enables the creation and deployment of AI applications and chatbots, oftenbypassing the restrictions imposed by more widely used systems like ChatGPT.The chatbot developed by FunkSec is tailored specifically to facilitatemalicious activities, further demonstrating their innovative use of AI toenhance their operations.

Interestingly,parts of the malware’s source code, written in Rust, were also uploaded by theauthor. The file, named ransomware.rs, contains partial functionality ofthe compiled binaries and was uploaded to VirusTotal on December 15 from anAlgerian source. This prototype version of the ransomware is a simplifiedimplementation and includes the following functions:

1. File Encryption: Encrypts all files on the system located in the C:\ directory using a combination of RSA and AES encryption. The original files are deleted post-encryption, with encrypted versions saved using the .funksec extension.
2. Ransom Note Creation: Generates a ransom note named readme.me, notifying the user of the encryption and providing instructions for paying the ransom to obtain the decryption key.
3. System Environment Modification: Alters the desktop environment, such as changing the background to black, to emphasize the ransom demand.
4. Privilege Check: Ensures the ransomware has administrative or root privileges before execution to maximize its impact.

Other free tools

In addition to ransomware, Funksec groupsoffers additional tools most of them associated with hactivist activity

1.       FDDOS:A Python-based tool called the “Scorpion DDoS Tool,” designed for networkstress testing. It performs Distributed Denial-of-Service (DDoS) attacks usingHTTP or UDP flood methods.

2.       JQRAXY_HVNC:A C++ program consisting of an HVNC (Hidden Virtual Network Computing) serverand client. It enables remote desktop management, automation, and datainteraction, allowing stealthy control over compromised systems.

3.       funkgenerate:A smart password generation and scraping tool. It scrapes emails and potentialpasswords from provided URLs and generates new password suggestions,facilitating credential-related attacks.

FunkSec V1.5: Rust-Based Ransomware with Advanced Features

LatestVersion: FunkSec V1.5

The newest iteration of theFunkSec ransomware, FunkSec V1.5, showcases significant technicaladvancements and further solidifies its position as a sophisticated threat.Here’s a detailed breakdown of its features and origins:

1. Written in Rust

• Programming Language: FunkSec V1.5 is written in Rust, a language increasingly popular among cybercriminals for its performance, memory safety, and difficulty in reverse engineering.
• Benefits for Attackers:
• Cross-Platform Capability: Rust allows the malware to target multiple operating systems (Windows, Linux, macOS).
• Evasion Techniques: Rust binaries are harder to analyze with traditional antivirus tools due to their unique structure and the lack of widespread Rust-specific analysis tools.

2. Artifact Origins

• The ransomware artifact for FunkSec V1.5 was uploaded to VirusTotal from Algeria, likely by the ransomware's developer or an affiliate. This reinforces earlier indications that the primary threat actor is based in Algeria.
• Historical Context:
• Earlier versions of the ransomware included references to FunkLocker and Ghost Algeria in their ransom notes. These references establish a link to older, regionally associated hacktivist and cybercriminal groups.

3. Malware Capabilities

FunkSec V1.5 exhibits severaladvanced features, making it a highly effective ransomware strain. Theseinclude:

A. Recursive Directory Traversal

• Behavior: The ransomware recursively iterates through all directories on the infected system to encrypt targeted files.
• Impact: Ensures maximum disruption by encrypting all accessible data, including network shares.

B. Privilege Escalation

• Pre-encryption Tactics:
• Elevates privileges on the infected system, enabling unrestricted access to files and system processes.
• Common Methods: Exploits unpatched vulnerabilities or leverages misconfigurations for privilege escalation.

C. Disabling Security Controls

• Defense Evasion: The ransomware disables:
• Antivirus software.
• Firewalls.
• Endpoint detection tools.
• Technique: Uses hard-coded commands and tools to manipulate or disable these defenses before encryption begins.

D. Shadow Copy Deletion

• Backup Removal: Deletes shadow copies of the system to ensure that victims cannot restore their files without paying the ransom.
• Command: Likely uses commands like vssadmin delete shadows /all /quiet.

E. Process and ServiceTermination

• Targeting Critical Processes:
• FunkSec V1.5 includes a hard-coded list of processes and services to terminate, such as:
• Database services (e.g., SQL Server).
• Backup services.
• Enterprise applications.
• Purpose: Ensures files in use are unlocked and available for encryption.

4. Indicators of a Local Threat Actor

Several clues strongly suggestthat the developer of FunkSec ransomware operates from Algeria:

• Artifact Uploads: Multiple malware specimens, including FunkSec V1.5, have been uploaded to VirusTotal from Algeria.
• Self-Promotion: The references to Ghost Algeria in earlier ransom notes highlight an effort to associate FunkSec with regionally infamous hacktivist groups, reinforcing the connection to Algerian origins.

Here’s thetechnical analysis of the control flow and functionality of the FunkSecransomware, broken into detailed steps:

1. Repetitive Control Flow

• The ransomware exhibits inefficiencies in its control flow, repeatedly calling functions from multiple execution paths.
• For instance, critical operations like the "disable security" routine are redundantly invoked. This routine is executed twice within the same basic block, despite its functionality not requiring repetition.

2. Recursive File Encryption Logic

• A recursive function iterates through all subdirectories of a specified directory, encrypting targeted files within them.
• This function is redundantly invoked five times throughout the binary, further highlighting the malware’s inefficient design.

3. Duplicated Code

• The ransomware contains duplicated code that triggers the "encrypt all directories" logic with different hardcoded constants.
• Example: One invocation uses the constant RansomwarePassword123.
• This duplication increases the size of the binary and introduces unnecessary complexity.

4. Primary Execution Flow

• The malware’s execution starts with a sequence of operations, which includes:
• Disabling security features.
• Elevated privilege checks: The malware verifies whether it has the required administrative privileges by attempting to execute the net session command.
• If privileges are insufficient, the ransomware attempts to relaunch itself with elevated privileges using the following command:

start-process -wait -Verb runas -filepath '%~nx0' -ArgumentList '<arguments>'

• Upon gaining the necessary privileges, the control flow transfers to the "encrypt all drives" function, which performs the main encryption task.

5. Execution Path Inefficiency

• Across the binary, the operations sequence (e.g., "disable security," privilege check, etc.) is called multiple times unnecessarily.
• This inefficiency, coupled with duplicated and redundant functionality, indicates a lack of optimization and professional coding practices in the malware’s development.

Detailed breakdown of the steps FunkSec ransomware takesonce it gains elevated privileges:

1. Disabling Security Features

The malware executes the following commands to disable criticalsecurity measures:

·       Set-MpPreference-DisableRealtimeMonitoring $true
Disables WindowsDefender real-time protection to avoid detection during theattack.

·       wevtutilsl Security /e:false
Disables Securityevent logging, making it harder for administrators to detectthe attack.

·       wevtutilsl Application /e:false
Disables Applicationevent logging to prevent tracking of suspicious activities.

·       Set-ExecutionPolicyBypass -Scope Process -Force
Disables PowerShellexecution policy restrictions, allowing the malware to runwithout interference.

·       vssadmindelete shadows /all /quiet
Deletes shadowcopy backups to prevent data recovery through Windows backupmechanisms.

2. Terminating Processes and Services

The malware then executes a function called terminate_processes,which targets a hardcoded list of processes and services to terminate. Theseinclude:

• Popular browsers: chrome.exe, firefox.exe, msedge.exe
• System processes: explorer.exe, outlook.exe, taskmgr.exe, powershell.exe, cmd.exe
• Communication apps: discord.exe, skype.exe, steam.exe, spotify.exe
• Various system services like bits, dnsclient, wuauserv, winmgmt, and more, to prevent the victim from noticing or interrupting the ransomware operation.

3. File Encryption Process

After disabling security measures and terminating processes, themalware proceeds with its main function—file encryption:

• Drive Iteration: The malware iterates through each drive letter, recursively encrypting files in all subdirectories.
• Targeted File Extensions: The ransomware encrypts files with specific targeted extensions.

Encryption Method:
The malware uses ChaCha20 symmetric encryption, which isimplemented using the orion.rs crate in Rust. This ensures fast andsecure file encryption.

• Key Generation: Ephemeral encryption keys are generated using a wrapper around CryptGenRandom (and the function SystemFunction036).
• Filename Generation: Encrypted files are saved with a new filename, and the hardcoded .funksec extension is appended. The filename is generated using the Rust format! macro, which creates the file name dynamically.

4. Ransom Note

After encryption, the ransomware creates a ransom note, which iswritten to the disk. This note typically features a mix of regular andemoji-style characters, attempting to make the message more attention-grabbingand potentially intimidating for the victim.

IOCs

·      c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c

·      66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd

·      dcf536edd67a98868759f4e72bcbd1f4404c70048a2a3257e77d8af06cb036ac

·      b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb

·      5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd

·      e622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22

·      20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d

·      dd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966

·      7e223a685d5324491bcacf3127869f9f3ec5d5100c5e7cb5af45a227e6ab4603

How to Mitigate:

·       Deploy Robust Endpoint Security

·       Implement Least Privilege & Access Controls

·       Maintain Strict Patch Management

·       Perform Frequent, Secure Backups

·       Segment and Harden Networks

·       Monitor and Log Key Events

·       Leverage AI Defensively

Conclusion

The rise ofAI-driven ransomware like FunkSec calls for a renewed focus on cybersecuritymeasures. Organizations must adopt a multi-layered approach to defense,including:

1. AI-Powered Threat Detection: Deploying AI to identify and block threats in real time.
2. Regular Patching and Updates: Closing vulnerabilities that FunkSec might exploit.
3. Employee Training: Educating staff on phishing and social engineering tactics.
4. Zero Trust Architecture: Restricting access based on strict verification protocols.
5. Data Backup and Recovery Plans: Ensuring that critical data can be restored without paying a ransom.