Verticals Targeted: Government, Business Services, Education, Insurance, Software, Media, Finance, Agriculture, Manufacturing, Construction, Healthcare, Retail
Executive Summary
FunkSec is a new AI-assisted ransomware as a service (RaaS) that has been in operation since late 2024.
Key Takeaways
- FunkSec is a new AI-assisted ransomware as a service (RaaS) that has been in operation since late 2024.
- While FunkSec’s attacks have been effective and far-reaching, the threat actors behind the ransomware are thought to be unsophisticated.
- The group’s tools, including the encryptor, were likely created with AI assistance.
- The group also appears to have hacktivist origins, with some members being affiliated with groups aligning with the “Free Palestine” movement.
What is FunkSec?
FunkSec is a new AI-assisted ransomware as a service (RaaS) that has been in operation since late 2024. Check Point Research reported on FunkSec ransomware. PolySwarm analysts consider FunkSec to be an emerging threat.
FunkSec is a ransomware family that is written in Rust. FunkSec launched its data leaks site in December 2024. The group is known to make low ransom demands, with some ransom demands as low as $10K USD. FunkSec uses double extortion tactics, not only demanding a ransom to decrypt encrypted files, but also stealing data and selling or leaking that data if the ransom is not paid.
So far FunkSec has claimed at least 85 victims. Victims have included entities in the government, business services, education, insurance, software, media, finance, agriculture, manufacturing, construction, healthcare, and retail verticals. Victims have been located in France, India, Thailand, Tunisia, Italy, Uzbekistan, Germany, Brazil, Zambia, UAE, Australia, Paraguay, Israel, Venezuela, Kenya, Iran, Nigeria, and the US.
While FunkSec’s attacks have been effective and far-reaching, the threat actors behind the ransomware are thought to be unsophisticated. Check Point Research noted the group’s tools, including the encryptor, were likely created with AI assistance. It also appears the group has recycled leaked information from previous leaks. In addition to ransomware, FunkSec is known to use FDDOS, a Python-based DDoS tool; JQRAXY_HVNC, an HVNC Server and client C++ program; and funkgenerate, a password generation and scraping tool.
The group also appears to have hacktivist origins, with some members being affiliated with groups aligning with the “Free Palestine” movement. Individual threat actors thought to be affiliated with FunkSec include Scorpion (aka DesertStorm), El_farado, XTN, Blako, and Bjorka. Several key FunkSec actors are thought to operate out of Algeria.
IOCs
PolySwarm has multiple samples of FunkSec.
66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd
dcf536edd67a98868759f4e72bcbd1f4404c70048a2a3257e77d8af06cb036ac
b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb
5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd
e622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22
20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d
dd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966
You can use the following CLI command to search for all FunkSec samples in our portal:
$ polyswarm link list -f FunkSec
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
