In late 2024, cybersecurity experts uncovered a new AI-driven ransomware group called FunkSec. FunkSec has already targeted over 85 victims worldwide. The group uses double extortion tactics, combining data theft and encryption.
Their approach pressures victims to pay ransoms. FunkSec is gaining attention for its unusual strategies, such as demanding low ransoms and selling stolen data cheaply.
FunkSec’s Unique Approach
FunkSec launched its data leak site (DLS) in December 2024. The site serves as a hub for their operations. It features breach announcements, DDoS attack tools, and ransomware as part of a Ransomware-as-a-Service (RaaS) model. Unlike other ransomware groups, FunkSec sets low ransom demands, sometimes as little as $10,000. They also sell stolen data to buyers for prices between $1,000 and $5,000.
Targeted Countries
Most FunkSec victims are in the U.S., India, Italy, Brazil, Israel, Spain, and Mongolia. The group aims to make a name for itself by recycling data from old hacktivist leaks. This strategy reflects their effort to gain notoriety.
Connection to Hacktivism
FunkSec blurs the line between hacktivism and cybercrime. Some group members previously engaged in hacktivist activities. Their tools and tactics reveal this dual motive. FunkSec claims to support political causes like the “Free Palestine” movement. They also associate with former hacktivist entities like Ghost Algeria and Cyb3r Fl00d.
Key Members of FunkSec
Several individuals are linked to FunkSec’s operations. Scorpion, also known as DesertStorm, is an Algeria-based actor who is promoting the group. Another member, El_farado, emerged after DesertStorm’s ban from online forums. Other key figures include XTN, who works on data sorting, and Blako, tagged alongside El_farado. FunkSec also has loose connections with Bjorka, an Indonesian hacktivist.
Also read | Critical security flaws fixed in Microsoft Dynamics 365 and Power Apps Web API
AI Assistance in Ransomware Development
FunkSec uses AI to enhance their ransomware tools. This approach has helped them develop and improve their malware quickly. Their latest version, FunkSec V1.5, is written in Rust. Researchers believe the group’s limited technical skills are offset by AI-assisted development.
Technical Details of FunkSec’s Ransomware
The FunkSec ransomware targets files by encrypting them after scanning directories. It disables security controls, deletes backups, and shuts down critical processes. The malware’s earlier versions reference FunkLocker and Ghost Algeria, hinting at its roots in Algeria.
Also read | Double Clickjacking: New “Double-Click” Attack to Hack Websites
Financial and Political Motivations
FunkSec’s activities are driven by both financial and political goals. They use AI and repurpose old leaks to attract buyers and victims. However, experts question the group’s long-term success. FunkSec’s blend of hacktivism and cybercrime makes them a unique threat.
Expert Insights
Cybersecurity experts view FunkSec as part of a growing trend. Groups like FunkSec use AI to enhance cyberattacks and mix political agendas with financial motives. Sergey Shykevich from Check Point Research highlighted the group’s rapid rise in December 2024.
Conclusion
FunkSec represents a new wave of AI-driven ransomware. Their tactics, combining hacktivism and cybercrime, create a dangerous mix. The group’s low ransom demands and use of AI tools show their innovative approach. However, experts remain skeptical about their long-term success. Cybersecurity measures must evolve to counter such emerging threats.
