A decryptor for the FunkSec ransomware has been developed and made avaliable to download for free by researchers at antivirus provider Avast.
Ladislav Zezul, a malware researcher at Avast’s parent company Gen, said in a recent blog post that his team had cooperated with law enforcement agencies to help victims of the FunkSec ransomware group decrypt files free of charge.
Based on the group’s data leak site, the researchers identified 113 victims.
Analysis suggests the gang initially focused on data exfiltration and extortion before later incorporating encryption into their attacks.
The timeline of their operations indicates that the first victim appeared before the earliest known ransomware sample appeared in 2024, with activity continuing until at least mid-March 2025.
“Because the ransomware is now considered dead, we released the decryptor for public download,” Zezul wrote.
A Low-Skill Ransomware Operation
FunkSec emerged in late 2024. The group’s operators appeared to use AI-assisted malware development.
According to a Check Point report in January 2025, FunkSec operations were likely conducted by inexperienced actors linked to hacktivist activity.
Theuse of AI assistance “may have contributed to their rapid iteration despite the author’s apparent lack of technical expertise,” the Check Point researchers wrote.
Sergey Shykevich, threat intelligence group manager at Check Point, spoke to Infosecurity about FunkSec during the firm’s CPX 2025 conference in Vienna in February.
“Funksec’s ransomware is not very sophisticated, and the actor behind it is not very technical. He recycled code from other ransomware and took a chance with AI. However, we tested the ransomware and it works, it disrupts services on the machines it targets and encrypts data,” Shykevich told Infosecurity.
How to Use the FunkSec Decryptor
Typical characteristics of the FunkSec ransomware include encrypted files displaying the ‘.funksec’ extension and the presence of a ransom note file called ‘README-{random}.md’ in every folder of the targeted system.
Gen’s Zezul provided the steps for organizations to use the FunkSec decryptor for free:
- Download the decryptor binary for 64-bit Windows on Avast
- Run the decryptor: Open the file as an administrator and a step-by-step guide will appear
- Click Next after reviewing the license info
- Choose files to decrypt: Select the drives or folders containing encrypted files (local drives are selected by default)
- Keep the backup option enabled (recommended) and click Decrypt. Wait for the process to complete
