Cyber security researchers shed light on nascent family of artificial intelligence (AI) ransomware FunkSec which originated in late 2024 and has claimed more than 85 lives to date.
“The group uses a two-pronged extortion tactic, combining data theft with encryption to force victims to pay the ransom,” Check Point Research notes. said in a new report shared with The Hacker News. “Notably, FunkSec demanded unusually low ransoms, sometimes as low as $10,000, and sold the stolen data to third parties at discounted prices.”
FunkSec launched its Data Leakage Site (DLS) in December 2024 to “centralize” its ransomware operations, highlighting breach announcements, a custom tool for conducting distributed denial-of-service (DDoS) attacks, and custom ransomware as part of the ransomware. model as a service (RaaS).
Most of the victims are in the USA, India, Italy, Brazil, Israel, Spain and Mongolia. An analysis of the group’s activities by Check Point found that it is likely the work of novice actors seeking to gain notoriety by recycling leaked information from previous hacktivist-related leaks.
Some members of the RaaS group have been found to have engaged in hacktivist activities, highlighting the continuing blurring of lines between hacktivism and cybercrime, as have nation-state actors and organized cybercriminals. are increasingly exhibited “an alarming convergence of tactics, methods, and even goals.”
They also claim to target India and the US, aligning themselves with the Free Palestine movement and attempting to link up with defunct hacker organizations such as Ghost Algeria and Cyb3r Fl00d. Some of the notable actors associated with FunkSec are listed below –
- A suspected Algerian actor named Scorpion (aka DesertStorm) who promoted the group on underground forums such as Breached Forum
- El_farado, who became a major figure in the FunkSec promotion after DesertStorm was banned from the Breached Forum
- XTN, a likely partner involved in an as-yet-unknown “data sorting” service
- Blako, who was tagged by DesertStorm along with El_farado
- Bjorka, a prominent Indonesian hacktivist whose pseudonym has been used to claim leaks attributed to FunkSec on DarkForums, indicating either a loose affiliation or their attempts to impersonate FunkSec
The presence of DDoS attack tools, as well as tools related to remote desktop control (JQRAXY_HVNC) and password generation (funkgenerate) suggests that the group is also involved in hacking activities.
“The development of the group’s tools, including the cipher, was likely done with the help of artificial intelligence, which could have contributed to their rapid iteration, despite the author’s apparent lack of technical knowledge,” Check Point said.
The latest version of the ransomware called FunkSec V1.5 is written in Rust with an artifact loaded to the VirusTotal platform from Algeria. Research into older versions of the malware suggests that the threat actor is also from Algeria, thanks to links to FunkLocker and Ghost Algeria.
The ransomware binary is configured to recursively traverse all directories and encrypt target files, but not before escalating privileges and taking steps to disable security controls, delete shadow copy backups, and stop a hard-coded list of processes and services.
“2024 was a very successful year for ransomware groups, while global conflicts also fueled the activity of various hacker groups,” Siarhei Shykevich, manager of the threat intelligence group at Check Point Research, said in a statement.
“FunkSec, a new group that recently emerged as the most active ransomware group in December, is blurring the lines between hacking and cybercrime. Driven by both political goals and financial incentives, FunkSec uses artificial intelligence and repurposes old data leaks to create a new brand of ransomware, although the actual success of their operations remains highly questionable.”
The development is happening as Forescout detailed a Attack of the International Hunter which likely used Oracle WebLogic Server as the initial entry point to remove the China Chopper web shell, which was then used to perform a series of post-exploitation activities that ultimately led to the deployment of the ransomware.
“After gaining access, the attackers conducted reconnaissance and lateral movement to map the network and elevate privileges,” Forescout said. said. “The attackers used a variety of common administration tools and the red command for lateral movement.”
