Inside FunkSec Ransomware Operation

Summary

The FunkSec ransomware group first emerged publicly in late 2024, and rapidly gained prominence by publishing over 85 claimed victims—more than any other ransomware group in the month of December. Presenting itself as a new Ransomware-as-a-Service (RaaS) operation, FunkSec appears to have no known connections to previously identified ransomware gangs, and little information is currently available about its origins or operations.

Checkpoint research recently published a blog about FunkSec, a new ransomware group that emerged in late 2024, gained attention by claiming over 85 victims in December, making it one of the most active ransomware operators. While it positions itself as a Ransomware-as-a-Service (RaaS) provider, the group's true scale and expertise appear to be less significant than suggested.

The actors behind FunkSec are likely inexperienced, and much of the leaked data appears recycled from previous hacktivist campaigns, raising doubts about its authenticity. Analysis suggests that the custom encryptor used by FunkSec was likely developed by an Algerian actor with limited technical expertise, possibly aided by AI tools. This case underscores the challenges in distinguishing between hacktivism and cybercrime, highlighting the limitations of current methods for assessing ransomware threats based on public claims.

Technical Detail

FunkSec, a ransomware group that surfaced in December 2024, employs double extortion tactics, combining data theft and encryption to pressure victims. Their operations are centralized through a data leak site (DLS) that features breach announcements, a custom DDoS tool, and a Ransomware-as-a-Service (RaaS) offering. Despite claiming over 85 victims in a short period, FunkSec demands unusually low ransoms, sometimes as little as $10,000, and sells stolen data at discounted rates. With ties to past hacktivist activities, the group’s motivations appear to blur the lines between hacktivism and cybercrime, making them a notable subject for further investigation.

Ransomware

FunkSec has recently introduced a rapidly evolving custom ransomware, with new versions frequently released, often within days. The latest version, V1.5, was promoted with claims of a low detection rate in virustotal. A sample file, dev.exe, uploaded from Algeria, confirmed this claim and revealed the ransomware’s use of the ".funksec" extension. Written in Rust and compiled on a system linked to "C:\Users\Abdellah", the malware demonstrates ongoing development by an inexperienced author, likely based in Algeria. Evidence includes multiple uploads of ransomware versions and source code fragments, such as ransomware.rs, on VirusTotal. The malware uses RSA and AES encryption to target files in the C:\ directory, replaces originals with encrypted versions, creates ransom notes, and modifies system settings like the desktop background. It also checks for administrative privileges before executing.

Other Tools

FunkSec provides various tools alongside their ransomware, many of which align with hacktivist operations. One notable tool, FDDOS, is a Python-based "Scorpion DDoS Tool" that conducts Distributed Denial-of-Service (DDoS) attacks using HTTP or UDP flooding techniques. Another offering, JQRAXY_HVNC, is a C++-based HVNC server and client program, enabling remote desktop control, task automation, and data interaction. Additionally, their funkgenerate tool specializes in extracting emails and potential passwords from specified URLs while generating new password suggestions, highlighting its focus on credential harvesting and manipulation.

AI-Powered capabilities

FunkSec has extensively utilized AI to enhance their operations, as reflected in their tools and publications. Their shared scripts and Rust ransomware source code show signs of being developed with AI assistance, featuring detailed comments in flawless English. The group has openly credited AI tools for aiding in their ransomware development, likely by generating outputs based on provided source code. They also introduced an AI chatbot using the Miniapps platform, tailored to facilitate malicious activities. This strategic use of AI aligns with their claims and highlights their reliance on advanced technology for cybercriminal purposes.

The analyzed malware, a stripped Rust binary, employs aggressive in-lining and numerous trait implementations, complicating reverse engineering. It features significant redundancy, with control flow repeating operations, such as "disable security" routines, multiple times within basic blocks. The malware gains elevated privileges, disables system defenses (e.g., Windows Defender and event logging), and deletes shadow backups before proceeding to encrypt files using ChaCha20 encryption from the orion.rs crate. Each encrypted file is renamed with a .funksec extension, and the malware generates a ransom note. Its redundant design and recursive file encryption across drives highlight inefficient but deliberate functionality.

Conclusion

The emergence of FunkSec highlights the evolving landscape of cyber threats where advanced tools, AI-assisted development, and multi-faceted operations blend hacktivist narratives with cybercriminal tactics. By leveraging Rust for malware development, AI tools for code generation, and aggressive operational techniques, FunkSec demonstrates the ability to execute disruptive campaigns despite operational inefficiencies and OpSec lapses. The group’s ability to manipulate public perception through fabricated claims and strategic alignments underscores the need for continuous vigilance, robust defense mechanisms, and collaborative threat intelligence efforts to counter such hybrid cyber threats effectively.