Cybersecurity researchers have shed light on an early artificial intelligence (AI)-assisted ransomware family called FunkSec that emerged in late 2024 and has claimed more than 85 victims so far.
“The group uses dual extortion tactics that combine data theft and encryption to coerce victims into paying ransoms,” Check Point Research said in a new report shared with Hacker News. I mentioned it inside. “Notably, FunkSec demanded unusually low ransoms, in some cases as low as $10,000, and sold the stolen data to third parties at a discount.”
FunkSec launched a Data Leak Site (DLS) in December 2024 to “centralize” ransomware operations, providing information on breach announcements, custom tools for carrying out distributed denial of service (DDoS) attacks, and ransomware Highlighted custom ransomware as part of the software. as-a-service (RaaS) model.
Most of the victims are concentrated in the United States, India, Italy, Brazil, Israel, Spain, and Mongolia. Check Point’s analysis of the group’s activities revealed that it was likely the work of novice actors seeking to gain notoriety by reusing past hacktivist-related leaks.
Some members of RaaS groups have been found to engage in hacktivist activities, and nation-state actors and organized cybercriminals are increasingly known for their “tactics, techniques, and goals.”
They also claim to target India and the United States, align themselves with the “Free Palestine” movement, and seek to align themselves with now-defunct hacktivist groups like Ghost Algeria and Cyb3r Fl00d. Some of the notable actors associated with FunkSec are listed below.
The suspected Algeria-based actor named Scorpion (also known as Desert Storm) promotes the group on underground forums such as the Bleached Forum El Farad, and after Desert Storm was banned from the Bleached Forum XTN, he was in a funk. He has emerged as a central figure promoting sex, and is a person who is likely to be involved in the incident. The as-yet-unknown “data sorting” service Blako has been tagged by DesertStorm El_farado Bjorka, a well-known Indonesian hacktivist whose alias is used to claim leaks attributed to FunkSec on DarkForums , pointing to a loose relationship or an attempt to impersonate FunkSec.
The group’s potential for hacktivist activities is evidenced by the presence of DDoS attack tools, as well as those related to remote desktop management (JQRAXY_HVNC) and password generation (funkgenerate).
“The development of the group’s tools, including cryptographic tools, was likely aided by AI, which may have contributed to rapid iteration despite the creator’s apparent lack of technical expertise.” ” Check Point noted.
The latest version of the ransomware, named FunkSec V1.5, is written in Rust and the artifacts were uploaded to the VirusTotal platform from Algeria. Research into older versions of this malware suggests that the attackers are also from Algeria, with references such as FunkLocker and Ghost Algeria.
The ransomware binary is configured to recursively iterate through all directories and encrypt targeted files before elevating privileges, disabling security controls, and deleting shadow copy backups. and take steps to terminate the hard-coded list of processes and services.
“2024 was a very successful year for ransomware groups, but at the same time, the global conflict is also increasing with various hacktivists,” Sergey Shkevich, threat intelligence group manager at Check Point Research, said in a statement. It stimulated the group’s activities.”
“FunkSec, a new group that recently emerged as the most active ransomware group in December, is blurring the lines between hacktivism and cybercrime, driven by both political and financial incentives. FunkSec is leveraging AI and repurposing old data breaches to create new ransomware brands, but the actual success of their efforts remains highly questionable.
This development comes as Forescout details the Hunters International attack, which likely utilized Oracle WebLogic Server as the initial entry point to drop the China Chopper web shell. This attack is then eventually used to perform a series of post-exploitation activities, ultimately resulting in ransomware.
“Once the attackers gained access, they mapped the network and performed reconnaissance and lateral movement to escalate their privileges,” Forescout said. “The attackers used a variety of common management and red team tools for lateral movement.”
