The emergence of FunkSec marks a significant development in the cybercrime landscape, utilising low ransom demands and intertwining data theft with double extortion tactics.
In late 2024, a new ransomware family known as FunkSec emerged, reportedly claiming over 85 victims across various countries, with the majority located in the United States, India, Italy, Brazil, Israel, Spain, and Mongolia. Cybersecurity researchers from Check Point Research highlighted the group’s activities in a report shared with The Hacker News.
FunkSec makes use of double extortion tactics, intertwining data theft with file encryption to compel victims into paying ransoms. Notably, these ransom demands are unusually low, sometimes capped at $10,000, while the stolen data is offered to third-party buyers at significantly reduced prices, between $1,000 to $5,000. This practice distinguishes FunkSec as both a ransomware group and a data broker.
The group launched its data leak site (DLS) in December 2024, aimed at centralising its operations. The site features breach announcements and a custom tool for conducting distributed denial-of-service (DDoS) attacks, encapsulating its activities within a ransomware-as-a-service (RaaS) model. According to Check Point, FunkSec’s operations may be indicative of novice cybercriminals seeking notoriety by recycling information from past hacktivist-related leaks.
The origins and affiliations of FunkSec show a distinction between cybercrime and hacktivism. Check Point’s analysis indicates that members of this group may have involved themselves in hacktivist activities, particularly targeting India and the U.S., and aligning with the “Free Palestine” movement. The group seems to be attempting to associate itself with defunct hacktivist entities including Ghost Algeria and Cyb3r Fl00d.
Key actors in FunkSec include a suspected Algeria-based individual known as Scorpion (also referred to as DesertStorm), who has been promoting the group on underground forums; El_farado, who has emerged as a prominent figure in advertising FunkSec after DesertStorm’s removal from Breached Forum; and various others like XTN and Bjorka, whose roles hint at a loose affiliation or impersonation attempts within the group.
The development of FunkSec’s tools, including its ransomware, appears to be aided by artificial intelligence, which may have expedited their progression despite the apparent lack of technical expertise. The latest iteration of the ransomware, FunkSec V1.5, is reported to be written in Rust and shows indications of being uploaded from Algeria.
The ransomware is designed to methodically encrypt targeted files after disabling security measures and deleting shadow copy backups, while also terminating a predetermined list of processes. Sergey Shykevich, threat intelligence group manager at Check Point Research, stated, “2024 was a very successful year for ransomware groups, while in parallel, the global conflicts also fueled the activity of different hacktivist groups.” He remarked that FunkSec represents a notable instance of blurring lines between hacktivism and cybercrime.
In a related development, Forescout reported on a cyberattack involving Hunters International, which likely exploited the Oracle WebLogic Server as an initial access route to deploy a China Chopper web shell. This subsequent action allowed the attackers to carry out reconnaissance and lateral movement within the network, leading ultimately to the ransomware deployment.
The emergence of FunkSec and other contemporary cyber threats reflects a complex landscape in the realm of cybercrime, where financial motives and political agendas intertwine, leading to an evolving array of tactics and methodologies among cybercriminal actors.
Source: Noah Wire Services
- https://thehackernews.com/2025/01/ai-driven-ransomware-funksec-targets-85.html – Corroborates the emergence of FunkSec, its victim count, and the countries affected. It also details the group’s double extortion tactics and low ransom demands.
- https://therecord.media/funksec-ransomware-using-ai-malware – Supports the information about FunkSec’s AI-assisted malware, its targets, and the unusually low ransom demands. It also mentions the group’s use of recycled data from previous hacktivism campaigns.
- https://www.enigmasoftware.com/funksec-ai-driven-malware-threatens-new-wave-ransomware-attacks/ – Provides details on FunkSec’s AI-driven malware, its double extortion tactics, and the launch of its data leak site (DLS) in December 2024.
- https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/ – Corroborates FunkSec’s emergence, its use of AI in malware development, and the group’s operations, including the DLS and RaaS model. It also discusses the potential novice nature of the group and the recycling of old data leaks.
- https://thehackernews.com/2025/01/ai-driven-ransomware-funksec-targets-85.html – Details the origins and affiliations of FunkSec, including possible connections to Algeria and hacktivist activities, as well as the involvement of key actors like Scorpion and El_farado.
- https://therecord.media/funksec-ransomware-using-ai-malware – Supports the information about the development of FunkSec’s tools, including the use of AI, and the latest iteration of the ransomware written in Rust.
- https://www.enigmasoftware.com/funksec-ai-driven-malware-threatens-new-wave-ransomware-attacks/ – Explains the technical aspects of the ransomware, such as encrypting files, disabling security measures, and deleting shadow copy backups.
- https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/ – Quotes Sergey Shykevich on the success of ransomware groups in 2024 and the blurring of lines between hacktivism and cybercrime, as exemplified by FunkSec.
- https://thehackernews.com/2025/01/ai-driven-ransomware-funksec-targets-85.html – Discusses the broader context of cybercrime and hacktivism, highlighting how global conflicts and financial motives influence these activities.
- https://therecord.media/funksec-ransomware-using-ai-malware – Further details the impact of FunkSec’s activities on the cybercrime landscape, emphasizing the group’s notoriety and the challenges in assessing their true threat level.
- https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/ – Provides an in-depth analysis of FunkSec’s operations, tools, and the implications of their AI-assisted malware development on the cyber threat landscape.
