Cyber Crime
First AI-Driven Ransomware ‘FunkSec’ Claims Over 80 Victims in December 2024
FunkSec, a newly surfaced ransomware group, has garnered significant attention after claiming responsibility for over 80 cyberattacks in December 2024, according to a report by Check Point.
The group appears to operate at the intersection of hacktivism and cybercrime, with its members likely being inexperienced actors seeking recognition and visibility in the cybercrime landscape.
The group’s ransomware, developed in the Rust programming language, is believed to have been created with assistance from artificial intelligence (AI).
Check Point’s analysis suggests the malware’s developer, an inexperienced programmer from Algeria, may have uploaded parts of the ransomware’s source code online.
Registrations Open for FutureCrime Summit 2025: India’s Largest Conference on Technology-Driven Crime
Operating under the ransomware-as-a-service (RaaS) model, FunkSec employs a double extortion strategy, threatening to release sensitive stolen data unless victims comply with ransom demands.
The group has also launched a data leak website that debuted in December 2024, showcasing additional malicious tools such as a distributed denial-of-service (DDoS) utility, a sophisticated password generation and scraping tool, and a hidden virtual network computing (hVNC) module, which the group claims is undetectable.
The origins of FunkSec trace back to October 2024, when a threat actor using the aliases “Scorpion” and “DesertStorm” introduced the group.
It was later promoted by a potential associate known as “El_Farado.” Other individuals, including “XTN,” “Blako,” and “Bjorka,” are believed to have ties to Scorpion and the group’s activities.
Check Point’s investigation highlights the group’s reliance on AI to enhance their operations. Publicly available scripts linked to FunkSec include detailed code comments written in flawless English, contrasting with the rudimentary English seen in their other communications.
These comments are likely generated by a large language model (LLM). Additionally, the group has released an AI-powered chatbot, based on Miniapps, to facilitate their illicit activities.
When executed, FunkSec’s ransomware disables critical security measures, including Windows Defender’s real-time protection, application and event logging, and PowerShell execution restrictions.
[Nominate for Make in India Awards]
It also deletes shadow copy backups and terminates approximately 50 processes before encrypting files with the “.funksec” extension. A ransom note is then deposited on the compromised system.
FunkSec’s ransom demands are notably low, sometimes as little as $10,000. The group has also been observed selling stolen data at discounted prices to other threat actors.
The group’s hacktivist campaigns, which appear to be aimed at bolstering its reputation, have targeted countries such as India and the United States in alignment with the Free Palestine movement.
FunkSec has associated itself with now-defunct hacktivist groups like Ghost Algéria and Cyb3r Fl00d. However, their data leaks often recycle information from earlier campaigns, raising questions about the authenticity of their claims.
Despite their apparent limitations, FunkSec’s Tor-based operations, low ransom demands, and extensive use of AI have drawn considerable attention within cybercrime forums.
Check Point’s report underscores the evolving tactics of this emerging threat and the potential risks posed by their innovative yet concerning use of AI.
