{"id":20039,"date":"2025-02-18T09:00:28","date_gmt":"2025-02-18T02:00:28","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=20039"},"modified":"2025-02-19T10:35:57","modified_gmt":"2025-02-19T03:35:57","slug":"warning-ai-powered-funksec-ransomware","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/warning-ai-powered-funksec-ransomware\/","title":{"rendered":"Warning: AI-Powered FunkSec Ransomware"},"content":{"rendered":"<div id=\"post-content-wrapper\" class=\"prose prose-base mx-auto mb-10 min-h-30 break-words dark:prose-dark lg:prose-lg\">\n<p>A ransomware group named FunkSec has gained notoriety after admitting to attacks targeting over 80 organizations in December 2024.<\/p>\n<h1 id=\"heading-information-about-the-funksec-group\" class=\"permalink-heading\">Information about the FunkSec group<\/h1>\n<p>FunkSec is a newly emerging ransomware group in recent times. This group has been operating a data leak site in December 2024 to compile their attack activities. The extortion method used by FunkSec primarily involves double extortion, combining data theft and encryption to pressure victims into paying a ransom. The group&#8217;s website displays announcements, a self-developed DDoS tool, and recently a service offering malware as Ransomware-as-a-Service (RaaS).<\/p>\n<p style=\"text-align: center;\"><span data-rmiz=\"\"><span data-rmiz-content=\"found\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Trang-web-ro-ri-du-lieu-cua-FunkSec-1739159059.webp\"><img decoding=\"async\" class=\"aligncenter wp-image-20040 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Trang-web-ro-ri-du-lieu-cua-FunkSec-1739159059.webp\" alt=\"AI-Powered FunkSec Ransomware FPT IS 1\" width=\"1907\" height=\"797\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Trang-web-ro-ri-du-lieu-cua-FunkSec-1739159059.webp 1907w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Trang-web-ro-ri-du-lieu-cua-FunkSec-1739159059-700x293.webp 700w\" sizes=\"(max-width: 1907px) 100vw, 1907px\" \/><\/a><\/span><button type=\"button\" aria-label=\"Expand image: Figure 1 - FunkSec data leak site.\" data-rmiz-btn-zoom=\"\"><\/button><\/span><em>Figure 1. FunkSec data leak site<\/em><\/p>\n<p>FunkSec has attracted community attention as up to 85 organizations have been identified as victims of this group in just over a month of operation. Notably, FunkSec demands very low ransoms, sometimes only $10,000, and the price for selling data to third parties is also very favorable. This has led to their activities being actively discussed on cybercrime forums, further enhancing their reputation.<\/p>\n<p style=\"text-align: center;\"><span data-rmiz=\"\"><span data-rmiz-content=\"found\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Thong-ke-nan-nhan-cua-FunkSec-theo-quoc-gia-1739159182.webp\"><img decoding=\"async\" class=\"aligncenter wp-image-20041 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Thong-ke-nan-nhan-cua-FunkSec-theo-quoc-gia-1739159182.webp\" alt=\"AI-Powered FunkSec Ransomware FPT IS 2\" width=\"922\" height=\"499\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Thong-ke-nan-nhan-cua-FunkSec-theo-quoc-gia-1739159182.webp 922w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Thong-ke-nan-nhan-cua-FunkSec-theo-quoc-gia-1739159182-700x379.webp 700w\" sizes=\"(max-width: 922px) 100vw, 922px\" \/><\/a><\/span><button type=\"button\" aria-label=\"Expand image: Figure 2 \u2013 &lt;span dir=\" data-rmiz-btn-zoom=\"\"><\/button><\/span><em>Figure 2. Statistics of FunkSec victims by country<\/em><\/p>\n<h1 id=\"heading-ai-support-capabilities\" class=\"permalink-heading\">AI Support Capabilities<\/h1>\n<p>FunkSec has utilized AI in their products to enhance features. The lines of code in the DDoS script and several other products of the group include very detailed comments, seemingly created by a Large Language Model (LLM).<\/p>\n<p style=\"text-align: center;\"><span data-rmiz=\"\"><span data-rmiz-content=\"found\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-3.-Comment-trong-script-DDoS-1739159246.webp\"><img decoding=\"async\" class=\"aligncenter wp-image-20042 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-3.-Comment-trong-script-DDoS-1739159246.webp\" alt=\"AI-Powered FunkSec Ransomware FPT IS 3\" width=\"1721\" height=\"438\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-3.-Comment-trong-script-DDoS-1739159246.webp 1721w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-3.-Comment-trong-script-DDoS-1739159246-700x178.webp 700w\" sizes=\"(max-width: 1721px) 100vw, 1721px\" \/><\/a><\/span><button type=\"button\" aria-label=\"Expand image: Figure 14 - Detailed comments in Scorpion DDoS script.\" data-rmiz-btn-zoom=\"\"><\/button><\/span><em>Figure 3. Comments in the DDoS script<\/em><\/p>\n<p>The group has also deployed an AI chatbot based on Miniapps to support their activities. Miniapps is a platform for creating and using AI applications and chatbots, and it is not limited in language. The bot developed by FunkSec is specifically designed to support malicious activities.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-4.-Giao-dien-chat-bang-miniapps-Scorpion-1739159295.webp\"><img decoding=\"async\" class=\"aligncenter wp-image-20043 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-4.-Giao-dien-chat-bang-miniapps-Scorpion-1739159295.webp\" alt=\"AI-Powered FunkSec Ransomware FPT IS 4\" width=\"794\" height=\"628\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-4.-Giao-dien-chat-bang-miniapps-Scorpion-1739159295.webp 794w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-4.-Giao-dien-chat-bang-miniapps-Scorpion-1739159295-700x554.webp 700w\" sizes=\"(max-width: 794px) 100vw, 794px\" \/><\/a><\/p>\n<p style=\"text-align: center;\"><em>Figure 4. Chat interface using Miniapps Scorpion<\/em><\/p>\n<h1 id=\"heading-features-of-funksec-malware\" class=\"permalink-heading\">Features of FunkSec Malware<\/h1>\n<p>When executed, the FunkSec ransomware runs a series of commands to disable security features such as turning off Windows Defender&#8217;s real-time protection, disabling application and security event log recording, disabling PowerShell execution restrictions, and deleting hidden backups.<\/p>\n<div class=\"hn-table\">\n<table>\n<thead>\n<tr>\n<td><strong>Command<\/strong><\/td>\n<td><strong>Function<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><code>Set-MpPreference -DisableRealtimeMonitoring $true<\/code><\/td>\n<td>Disable Windows Defender real-time protection<\/td>\n<\/tr>\n<tr>\n<td><code>wevtutil sl Security \/e:false<\/code><\/td>\n<td>Disable Security log recording<\/td>\n<\/tr>\n<tr>\n<td><code>wevtutil sl Application \/e:false<\/code><\/td>\n<td>Disable Application log recording<\/td>\n<\/tr>\n<tr>\n<td><code>Set-ExecutionPolicy Bypass -Scope Process -Force<\/code><\/td>\n<td>Disable PowerShell execution restrictions<\/td>\n<\/tr>\n<tr>\n<td><code>vssadmin delete shadows \/all \/quiet<\/code><\/td>\n<td>Delete hidden backups<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>The malware also searches for and terminates about 50 processes, mostly task processes, then begins searching for files to encrypt, adding the extension &#8216;.funksec&#8217; to those files, and then creating a ransom note.<\/p>\n<p style=\"text-align: center;\"><span data-rmiz=\"\"><span data-rmiz-content=\"found\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-5.-Cac-tien-trinh-ma-ma-doc-nay-terminate-1739159459.png\"><img decoding=\"async\" class=\"aligncenter wp-image-20044 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-5.-Cac-tien-trinh-ma-ma-doc-nay-terminate-1739159459.png\" alt=\"AI-Powered FunkSec Ransomware FPT IS 5\" width=\"1099\" height=\"523\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-5.-Cac-tien-trinh-ma-ma-doc-nay-terminate-1739159459.png 1099w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-5.-Cac-tien-trinh-ma-ma-doc-nay-terminate-1739159459-700x333.png 700w\" sizes=\"(max-width: 1099px) 100vw, 1099px\" \/><\/a><\/span><button type=\"button\" aria-label=\"Expand image\" data-rmiz-btn-zoom=\"\"><\/button><\/span><em>Figure 5. Processes terminated by the malware<\/em><\/p>\n<p style=\"text-align: center;\"><span data-rmiz=\"\"><span data-rmiz-content=\"found\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-6.-File-note-duoc-tao-ra-tren-may-nan-nhan-1739159512.webp\"><img decoding=\"async\" class=\"aligncenter wp-image-20045 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Hinh-6.-File-note-duoc-tao-ra-tren-may-nan-nhan-1739159512.webp\" alt=\"AI-Powered FunkSec Ransomware FPT IS 6\" width=\"631\" height=\"510\" \/><\/a><\/span><button type=\"button\" aria-label=\"Expand image: Figure 20 - FunkSec ransomware note.\" data-rmiz-btn-zoom=\"\"><\/button><\/span><em>Figure 6. Ransom note file created on the victim&#8217;s machine<\/em><\/p>\n<h1 id=\"heading-iocs-related-to-funksec-malware\" class=\"permalink-heading\">IOCs Related to FunkSec Malware<\/h1>\n<div class=\"hn-table\">\n<table>\n<thead>\n<tr>\n<td><strong>Value<\/strong><\/td>\n<td><strong>IOC Type<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c<\/td>\n<td>SHA-256<\/td>\n<\/tr>\n<tr>\n<td>66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd<\/td>\n<td>SHA-256<\/td>\n<\/tr>\n<tr>\n<td>dcf536edd67a98868759f4e72bcbd1f4404c70048a2a3257e77d8af06cb036ac<\/td>\n<td>SHA-256<\/td>\n<\/tr>\n<tr>\n<td>b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb<\/td>\n<td>SHA-256<\/td>\n<\/tr>\n<tr>\n<td>5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd<\/td>\n<td>SHA-256<\/td>\n<\/tr>\n<tr>\n<td>e622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22<\/td>\n<td>SHA-256<\/td>\n<\/tr>\n<tr>\n<td>20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d<\/td>\n<td>SHA-256<\/td>\n<\/tr>\n<tr>\n<td>dd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966<\/td>\n<td>SHA-256<\/td>\n<\/tr>\n<tr>\n<td>7e223a685d5324491bcacf3127869f9f3ec5d5100c5e7cb5af45a227e6ab4603<\/td>\n<td>SHA-256<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h1 id=\"heading-recommendations\" class=\"permalink-heading\">Recommendations<\/h1>\n<p><strong>FPT Threat Intelligence<\/strong>\u00a0recommends organizations and individuals take several measures to prevent this campaign:<\/p>\n<ul>\n<li><strong>Regularly back up data<\/strong>: Store data offline and periodically test recovery capabilities.<\/li>\n<li><strong>Update software<\/strong>: Always update operating systems and applications to patch security vulnerabilities.<\/li>\n<li><strong>Use security software<\/strong>: Install and activate antivirus and anti-malware solutions.<\/li>\n<li><strong>Carefully check emails<\/strong>: Do not open emails, links, or attachments from untrusted sources.<\/li>\n<li><strong>Limit access rights<\/strong>: Use accounts with low privileges to reduce risk.<\/li>\n<li><strong>Enable two-factor authentication (2FA)<\/strong>: Enhance security for important accounts.<\/li>\n<li><strong>Security awareness training<\/strong>: Increase user understanding of ransomware threats.<\/li>\n<li><strong>Network segmentation<\/strong>: Limit spread within the system by dividing the network.<\/li>\n<li><strong>Incident response planning<\/strong>: Prepare and periodically test response plans for incidents.<\/li>\n<\/ul>\n<h1 id=\"heading-references\" class=\"permalink-heading\">References<\/h1>\n<ul>\n<li><a href=\"https:\/\/research.checkpoint.com\/2025\/funksec-alleged-top-ransomware-group-powered-by-ai\/\" target=\"_blank\" rel=\"noopener nofollow\">FunkSec \u2013 Alleged Top Ransomware Group Powered by AI<\/a><\/li>\n<li><a href=\"https:\/\/www.securityweek.com\/emerging-funksec-ransomware-developed-using-ai\/\" target=\"_blank\" rel=\"noopener nofollow\">Emerging FunkSec Ransomware Developed Using AI<\/a><\/li>\n<\/ul>\n<\/div>\n<div class=\"-mt-5 mb-10\">\n<table style=\"border-collapse: collapse; width: 100%;\">\n<tbody>\n<tr>\n<td style=\"width: 100%;\"><strong>Exclusive article by FPT IS Technology Experts<\/strong><\/p>\n<p><em>Tran Hoang Phong \u2013 FPT IS Cyber Security Center<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n","protected":false},"author":21,"featured_media":20046,"parent":0,"template":"","nang_luc":[],"danh_muc_goc_nhin_so":[789],"dich_vu":[712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-20039","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","danh_muc_goc_nhin_so-expert-sharing","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/20039","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/20046"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=20039"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=20039"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=20039"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=20039"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=20039"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=20039"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=20039"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=20039"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}