AI-Driven Ransomware FunkSec Targets 85 Victims in December 2024

A novel artificial intelligence-assisted ransomware group named FunkSec has emerged in the cybersecurity landscape, claiming responsibility for over 85 cyberattacks during December 2024, according to a comprehensive report by Check Point Research.

The group operates at a unique intersection between hacktivism and cybercrime, with its members appearing to be relatively inexperienced actors seeking recognition and visibility in the digital underground. Their ransomware, developed using the Rust programming language, is believed to have been created with significant artificial intelligence assistance.

Check Point's detailed analysis suggests the malware's developer, an inexperienced programmer located in Algeria, may have inadvertently uploaded portions of the ransomware source code online. Operating under the ransomware-as-a-service (RaaS) model, FunkSec employs a double extortion strategy, threatening to release sensitive stolen data unless victims comply with ransom demands.

The group launched a data leak website in December 2024, showcasing additional malicious tools including a distributed denial-of-service (DDoS) utility, a sophisticated password generation tool, and a hidden virtual network computing (hVNC) module. These tools demonstrate the group's technical capabilities and diverse operational strategies.

FunkSec's origins can be traced back to October 2024, when a threat actor using aliases like "Scorpion" and "DesertStorm" first introduced the group. Subsequently, other potential associates such as "El_Farado," "XTN," "Blako," and "Bjorka" became involved in promoting and expanding the group's activities.

Researchers discovered the group's extensive reliance on AI technology to enhance their operations. Publicly available scripts linked to FunkSec feature detailed code comments written in flawless English, contrasting sharply with the rudimentary language used in their other communications. These comments are likely generated by advanced large language models.

When executed, the FunkSec ransomware disables critical security measures, including Windows Defender's real-time protection, application and event logging, and PowerShell execution restrictions. The malware deletes shadow copy backups and terminates approximately 50 processes before encrypting files with the ".funksec" extension.

Notably, the group's ransom demands are unusually low, sometimes as little as $10,000, and they have been observed selling stolen data at discounted prices to other threat actors. Their hacktivist-style campaigns target countries like India and the United States, aligning themselves with the Free Palestine movement.

While FunkSec has associated itself with defunct hacktivist groups like Ghost Algéria and Cyb3r Fl00d, many of their data leaks appear to recycle information from previous campaigns, raising questions about the authenticity of their claims.

Despite their apparent limitations, FunkSec's innovative use of AI, Tor-based operations, and low ransom demands have drawn significant attention within cybercrime forums. The group represents an evolving threat landscape where artificial intelligence enables less technically skilled actors to develop sophisticated malware tools.

Check Point's report underscores the potential risks posed by such innovative yet concerning applications of AI in cybercrime, highlighting the need for continued vigilance and advanced cybersecurity strategies.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: