Table of Contents
The rise of Funksec’s ransomware, which focuses on extortion through file encryption and data theft, shows how LLMs are empowering ransomware groups.
Threat reports for December showed a newcomer to the ransomware-as-a-service (RaaS) landscape quickly climbing the ranks. Called Funksec, this group appears to be leveraging generative AI in its malware development and its founders are tied to hacktivist activity.
Funksec was responsible for 103 out of 578 ransomware attacks tracked by security firm NCC Group in December, putting it in the top spot for the month with 18% — higher than much more established groups such as CL0P, Akira, and RansomHub.
That said, researchers from security firm Check Point believe its creators are not very experienced in malware development and had their cybercriminal career beginnings in hacktivism, an aspect that’s still visible in Funksec’s other tools.
“In a surprising discovery, our findings indicate that the development of the group’s tools, including the encryptor, was likely AI-assisted, which may have contributed to their rapid iteration despite the authors’ apparent lack of technical expertise,” the researchers said in a report.
Sudden rise to prominence linked to other groups’ activities
Funksec is a RaaS operation that engages in double extortion through file encryption and data theft. The group launched its data leak site, where it quickly listed 85 victims, which is impressive for a group that has no apparent history or connections in the ransomware ecosystem.
According to Check Point, one explanation for this sudden rise and the large number of victims is that at least some of the victims and leaks posted on its site were recycled from previous hacktivist-related activities.
Another aspect that sets Funksec apart from other groups is that its ransomware demands are as low as $10,000 and it is also selling data for relatively small prices. This suggests that the group is focusing on quantity rather than quality in target selection.
Funksec uses a custom ransomware program
The ransomware program used by Funksec is written in Rust and was first uploaded to the multi-engine VirusTotal malware scanning service by its creator in an attempt to boast about its low detection rate. This allowed the researchers to find and analyze multiple variants of the program that were all uploaded to VirusTotal from Algeria.
Moreover, while some versions had a ransomware note identifying the group as Funksec, others had an alternative ransom note attributing the attack to an outfit called Ghost Algeria. The author also failed to remove the compilation variables, revealing a path called C:\Users\Abdellah\ in the source code.
The ransomware program attempts to gain elevated privileges using known techniques for PowerShell scripts, then proceeds to disable Windows Defender real-time protection service, security event logging on the system, and application event logging, remove restrictions placed on PowerShell execution, and finally delete volume shadow copies to prevent system restore.
The malware program then attempts to kill a long list of processes associated with a variety of programs, including browsers, video players, messaging applications, and Windows services. This ensures that access to potentially important files that will subsequently be encrypted is not locked by those applications.
Malware spreads across all drives and subdirectories
The ransomware will then iterate over all drive letters and recurse through all subdirectories, encrypting all files with a list of targeted extensions. The file encryption routine uses the ChaCha20 algorithm with ephemeral keys. Encrypted files have the .funksec extension attached to them.
According to Check Point’s researchers, the malware code — part of which was also uploaded to VirusTotal by its author for some reason — uses many redundant call functions and repeating control flow. The code also has comments in perfect English a sign that the author likely used the assistance of a large language model (LLM) in its creation.
This is also visible in some of the other tools that Funksec offers for sale, such as a DDoS script written in Python for UDP and HTTP floods, an HVNC server and client for remote management, and a password scraping tool for emails and URLs.
Some of the group’s tools and leaks had notes about two other groups called Ghost Algeria and Cyb3r Fl00d. The group also publicly aligns with the “Free Palestine” movement and stated the U.S. is a main target because of its support for Israel.
“All our strikes with the new ransomware program will be directed at America, targeting the government sector, economy, and companies exporting and producing for the state,” the group said in one of its posts.
Funksec’s rise shows how LLMs are empowering ransomware groups
There are several individuals associated with and promoting Funksec on cybercriminal forums. After all, this aims to be a ransomware-as-a-service operation, so it’s marketed to other cybercriminals who can become affiliates and deploy the program on computers for a commission.
The main admin and promoter of Funksec is a user with the identities Scorpion and DesertStorm. While their YouTube profile lists their country as Russia, in some screenshots they inadvertently leaked their location as Algeria and keyboard layout as French.
DesertStorm was banned from a prominent cybercriminal forum in November, but another user known as El_farado continued to promote Funksec. Another user associated with the group’s data sorting service is XTN.
Funksec’s meteoric rise to the top of ransomware statistics, despite an apparent lack of experience, proves that LLMs are lowering the skill barrier for threat actors to succeed in the ransomware game. It remains to be seen whether the group will manage to gain enough traction, attract affiliates, and continue improving its ransomware program to become a well-established threat rather than just a one-month fluke.
