A ransomware group named FunkSec has gained notoriety after admitting to attacks targeting over 80 organizations in December 2024.

Information about the FunkSec group

FunkSec is a newly emerging ransomware group in recent times. This group has been operating a data leak site in December 2024 to compile their attack activities. The extortion method used by FunkSec primarily involves double extortion, combining data theft and encryption to pressure victims into paying a ransom. The group’s website displays announcements, a self-developed DDoS tool, and recently a service offering malware as Ransomware-as-a-Service (RaaS).

Figure 1. FunkSec data leak site

FunkSec has attracted community attention as up to 85 organizations have been identified as victims of this group in just over a month of operation. Notably, FunkSec demands very low ransoms, sometimes only $10,000, and the price for selling data to third parties is also very favorable. This has led to their activities being actively discussed on cybercrime forums, further enhancing their reputation.

Figure 2. Statistics of FunkSec victims by country

AI Support Capabilities

FunkSec has utilized AI in their products to enhance features. The lines of code in the DDoS script and several other products of the group include very detailed comments, seemingly created by a Large Language Model (LLM).

Figure 3. Comments in the DDoS script

The group has also deployed an AI chatbot based on Miniapps to support their activities. Miniapps is a platform for creating and using AI applications and chatbots, and it is not limited in language. The bot developed by FunkSec is specifically designed to support malicious activities.

Figure 4. Chat interface using Miniapps Scorpion

Features of FunkSec Malware

When executed, the FunkSec ransomware runs a series of commands to disable security features such as turning off Windows Defender’s real-time protection, disabling application and security event log recording, disabling PowerShell execution restrictions, and deleting hidden backups.

The malware also searches for and terminates about 50 processes, mostly task processes, then begins searching for files to encrypt, adding the extension ‘.funksec’ to those files, and then creating a ransom note.

Figure 5. Processes terminated by the malware

Figure 6. Ransom note file created on the victim’s machine

IOCs Related to FunkSec Malware

Recommendations

FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this campaign:

• Regularly back up data: Store data offline and periodically test recovery capabilities.
• Update software: Always update operating systems and applications to patch security vulnerabilities.
• Use security software: Install and activate antivirus and anti-malware solutions.
• Carefully check emails: Do not open emails, links, or attachments from untrusted sources.
• Limit access rights: Use accounts with low privileges to reduce risk.
• Enable two-factor authentication (2FA): Enhance security for important accounts.
• Security awareness training: Increase user understanding of ransomware threats.
• Network segmentation: Limit spread within the system by dividing the network.
• Incident response planning: Prepare and periodically test response plans for incidents.

References

• FunkSec – Alleged Top Ransomware Group Powered by AI
• Emerging FunkSec Ransomware Developed Using AI