FunkSec – Alleged Top Ransomware Group Powered by AI

The FunkSec ransomware group first emerged publicly in late 2024, and rapidly gained prominence by publishing over 85 claimed victims—more than any other ransomware group in the month of December. Presenting itself as a new Ransomware-as-a-Service (RaaS) operation, FunkSec appears to have no known connections to previously identified ransomware gangs, and little information is currently available about its origins or operations.

Our analysis of the group’s activity indicates that the impressive numbers of published victims may mask a more modest reality both in terms of actual victims as well as the group’s level of expertise. Most of FunkSec’s core operations are likely conducted by inexperienced actors. In addition, it is difficult to verify the authenticity of the leaked information as the group’s primary goal appears to be to gain visibility and recognition. Evidence suggests that in some instances, the leaked information was recycled from previous hacktivist-related leaks, raising questions about its authenticity.

In this report, we explore FunkSec’s ties to hacktivist activity and provide an in-depth analysis of the group’s public operations and tools, including a custom encryptor likely developed by a relatively inexperienced malware author based in Algeria. In a surprising discovery, our findings indicate that the development of the group’s tools, including the encryptor, was likely AI-assisted, which may have contributed to their rapid iteration despite the author’s apparent lack of technical expertise

This case highlights the increasingly blurred line between hacktivism and cybercrime, emphasizing the challenges in distinguishing one from the other. Whether such a distinction genuinely exists—or whether the operators are even aware of or concerned with defining it—remains uncertain. More importantly, It also calls into question the reliability of current methods for assessing the risk posed by ransomware groups, especially when those assessments rely on the public claims of the actors themselves.

FunkSec is an emerging ransomware group that launched its data leak site (DLS) in December 2024 to centralize their ransomware activities. The group uses double extortion tactics, combining data theft with encryption to pressure victims into paying ransoms. Their DLS features breach announcements, a custom-developed DDoS tool, and, more recently, a custom ransomware offered as a Ransomware-as-a-Service (RaaS).

FunkSec gained public attention due to their aggressive tactics and the number of their targets, with more than 85 claimed victims in little over a month of activity. Notably, FunkSec demanded unusually low ransoms, sometimes as little as $10,000, and sell stolen data to third parties at reduced prices. The group’s activities are widely discussed in cybercrime forums, further contributing to their growing notoriety.

Closer analysis of FunkSec’s activities and DarkWeb discussions offers some tantalizing hints about the group, namely that their motivations seem to straddle the line between hacktivism and cybercrime. Interestingly, some members linked to FunkSec previously engaged in hacktivist activities, adding a complex layer to their operations and raising questions about their true objectives. This blend of tactics and backgrounds made FunkSec a particularly intriguing case for deeper investigation.

FunkSec operators recently began to offer their rapidly evolving custom ransomware. With each new version, many of them published only days apart, their website is updated to highlight the added features. In the announcement for the latest version V1.5, the operators boasted about its low detection rate, sharing a VirusTotal screenshot that showed it was detected by only three antivirus engines at the time of publication.

The file referenced in their publication( `5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd`), named `dev.exe`, was uploaded from an Algerian source, and truly was detected by only 3 engines at the time of upload. The ransomware is identified by using the extension “.funksec”, written in Rust and compiled on the environment of `C:UsersAbdellah`. A full analysis of the malware is provided in the Technical Analysis section.

In our analysis of this ransomware, we uncovered all its versions which point to an ongoing development effort likely carried out by an inexperienced malware author. Notably, most of the versions were uploaded from Algeria, likely by the author himself. Analysis of those samples reveals two variants of the ransom notes. The first references FunkSec, and the second one references Ghost Algeria, another indication that the developer is from Algeria.

Interestingly, the author also uploaded parts of the malware’s source code, written in Rust. The source code file, named `*ransomware.rs*`, has parts of the functionality of the compiled binaries and was uploaded to VirusTotal on December 15 from an Algerian source. This prototype version of the ransomware is a simplified implementation and includes these functions:

`C:directory) using a combination of RSA and AES encryption. The original files are deleted after encryption, and encrypted versions with a new extension (` `.funksec) are created.` `readme.me) informing the user that their files have been encrypted and providing instructions for paying a ransom to obtain a decryption key.`

In addition to the ransomware, the FunkSec group offers additional tools, most of them commonly associated with hacktivist activity.

In late 2024, FunkSec emerged without warning and quickly dominated ransomware victim feeds and monitors, seemingly under the guise of hacktivism. By targeting India and the U.S., and aligning with the “Free Palestine” movement, the group leveraged multiple personas and aliases to craft its image and gain visibility.

Scorpion is the most prominent member of FunkSec and is associated with major portions of the group public profiles. This actor uses multiple aliases, most prominently **DesertStorm**.

The actor first surfaced on the Breached Forum, introducing the FunkSec name through a YouTube video posted via the channel “Scorpion” (@scorpioncybersec) in October 2024. The video alleged that FunkSec leaked a call between then-U.S. presidential candidate Donald Trump and Israeli Prime Minister Benjamin Netanyahu. However, the recording was clearly AI-generated.

DesertStorm’s YouTube profile listed their location as Russia, though the video’s shared URL suggested it was uploaded from Brazil. DesertStorm continued posting leaks on Breached Forum—most unverified or not credited to FunkSec—until the account was banned in November 2024.

In one of DesertStorm’s posts, they inadvertently shared compromising screenshots that revealed their location to be Algeria, with French-language keyboard settings. A suspected associate, **XTN**, publicly alerted DesertStorm to this operational security (OpSec) lapse, but DesertStorm did not remove the compromising information.

Before DesertStorm’s ban, the actor began tagging two other users, **El_Farado** and **Blako**, in forum posts related to FunkSec leaks and activities. While Blako remained inactive on the forums, El Farado gradually assumed a prominent role, promoting FunkSec on forums, sharing leaks, and adding the group’s .onion site to their signature.

The actor is also linked to a Keybase account under the name “Scorpionlord,” where they are listed as the admin of FunkSec. This account is tied to the FunkSec shame site and DesertStorm’s user on Breached Forum. Scorpionlord is also the username on two other cybercrime forums where the FunkSec’s website was promoted (these users were since removed).

Notably, El Farado’s Keybase profile was registered on the same day as Scorpionlord’s, suggesting a coordinated effort. A third Keybase profile, **Blako**, was registered only a few days later, further supporting the idea that these personas were all closely linked.

El Farado emerged as a key figure in FunkSec’s operations after DesertStorm’s ban from Breached Forum in November 2024. El Farado took on the task of promoting FunkSec, ensuring its visibility on the forum and sharing alleged leaks.

Key connections to FunkSec include:

XTN is associated with FunkSec’s “data sorting” service advertised on their website, while this service’s purpose is not fully clear. Their Keybase account, “xtnn,” connects to their Breached Forum profile, where they describe their location as “El Farado’s room” and reference El Farado in their signature. XTN further solidified their link to FunkSec by publicly warning DesertStorm about their OpSec lapse.

Bjorka, a known Indonesian hacktivist, has a murkier connection to FunkSec. While leaks attributed to FunkSec were reposted by a user named Bjorka on DarkForums, no direct collaboration was verified. Additionally, a Telegram channel named “Bjorkanism” claimed credit for some FunkSec operations, referring to them as “Bjorkanism Ransomware (FunkSec).” These claims are not supported by Bjorka’s official platforms, suggesting attempts at impersonating FunkSec or at most, a loose affiliation.

FunkSec attempted to associate itself with several defunct hacktivist groups:

These associations likely represent attempts to boost FunkSec’s credibility by aligning with well-known names rather than direct membership or collaboration.

The individuals behind FunkSec appear to have extensively leveraged AI to enhance their capabilities, as evidenced by their publications and tools. Their public script offerings include extensive code comments with perfect English (as opposed to very basic English in other mediums), likely generated by an LLM agent. Similar patterns are visible in the Rust source code linked to the group’s ransomware, suggesting it may have been developed with AI assistance.

In some of their published messages, the group specifically linked the development of their ransomware to AI-assisted agents, likely providing it with the source code for the ransomware and simply shared the output on their site.

The use of such tools aligns closely with the group’s public claims, as they also released an AI chatbot based on Miniapps to support their operations. Miniapps is a platform that facilitates the creation and use of AI applications and chatbots, often without the restrictions found in more popular systems like ChatGPT. The bot developed by FunkSec is specifically designed to support malicious activities.

To better understand the malware, we examined one of the circulated samples. This is a stripped Rust binary, which makes it challenging to effectively reverse engineer. In particular, it is subject to aggressive in-lining of library code (see our previous publication, Inside Akira Ransomware’s Rust Experiment for a clear demonstration of how this works, and how this complicates reverse engineering tasks), and contains many trait implementations that a disassembler may not recognize out of the box, many of which are wrappers for e.g. `WriteFileEx` or `CryptGenRandom`. However, a careful analysis reveals some interesting details.

Overall, we were mainly struck by the amount of redundancy in the binary. Control flow seems to repeat itself and call functions again and again from various execution paths; in a typical ransomware, these would only be called once. For example, in this sequence of operations:

Across the entire binary many of these functions are called twice, or even three or four times; the ‘disable security’ routine, seen above, is called twice in the same basic block. The below recursive function, which iterates into all subdirectories of a given directory and encrypts the targeted files in it, is called a total of _five_ times across the binary.

Some of the repetition is due to duplicated code that invokes the ‘encrypt all directories’ logic with different hardcoded constants each time, such as this invocation that uses the constant `RansomwarePassword123`:

Aside from the duplicated functionality, the main execution flow of the malware first calls the operations sequence seen earlier (“disable security”, and so on) and then transfers execution to an ‘encrypt all drives’ function. The operations sequence begins by checking whether it has elevated privileges (by trying to execute `net session`). If not, the binary attempts to relaunch itself with elevated privileges, using the method described here ( `start-process -wait -Verb runas -filepath ‘%~nx0’ -ArgumentList ”`).

Once it has elevated privileges, the malware executes the following commands:

The `terminate_processes` function contains a hardcoded list of processes and services to terminate:

Next, the malware moves on to iterating over each letter drive, recursing through its subdirectories and encrypting each file with one of the targeted extensions. For file encryption, the symmetric encryption used is the chacha20 implementation available in the orion.rs crate. Ephemeral keys are generated using a thin wrapper for `CryptGenRandom` (and the descriptively-named `SystemFunction036`). The newly created filename, with the hardcoded `.funksec` extension, is created using a call to Rust’s `format!` macro.

The malware then writes to disk the (rather emoji-fied) ransom note.

This report provides an in-depth analysis of FunkSec, a ransomware group with apparent hacktivist tendencies. The custom encryptor, developed by an inexperienced Algerian author, features AI-assisted elements which enables rapid development and improvement. FunkSec’s data leaks often recycle information from previous hacktivist campaigns, casting doubt on the authenticity of their claims. Despite these limitations, their Tor-based operations and low ransom demands have drawn widespread attention in cybercrime forums.

FunkSec’s operations highlight the role of AI in malware development, the overlap between hacktivism and cybercrime, and the challenges in verifying leaked data. It also raises questions about how we assess the threat posed by ransomware groups, as we often rely on the groups’ own claims. These findings reflect a changing threat landscape, where even low-skill actors can make use of accessible tools to cast a very large shadow.

Harmony Endpoint provides comprehensive endpoint protection at the highest security level, crucial to avoid security breaches and data compromise and protects against this threat.

“`
c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c 66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd dcf536edd67a98868759f4e72bcbd1f4404c70048a2a3257e77d8af06cb036ac b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb 5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd e622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22 20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d dd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966 7e223a685d5324491bcacf3127869f9f3ec5d5100c5e7cb5af45a227e6ab4603
“`

Leave a Reply

Your email address will not be published. Required fields are marked *