A new ransomware group dubbed FunkSec, which emerged in late 2024, has claimed to have targeted 85 victims in December alone, according to Check Point Research (CPR).
In a January 10 report, CPR noted that FunkSec operators appear to use AI-assisted malware development.
CPR noted that this AI capability can enable even inexperienced actors to quickly produce and refine advanced tools.
Publicly Available Information About FunkSec
Presenting itself as a new ransomware-as-a-service (RaaS) operation, FunkSec appears to have no known connections to previously identified ransomware gangs.
Little information is currently available about its origins or operations.
Check Point indicated that the group uses double extortion tactics, combining data theft with encryption to pressure victims into paying ransoms.
While largely unknown before December 2024, the group published victim data for over 85 organizations that month, surpassing the activity of all other ransomware groups.
The group's data leak site reveals victims spanning all continents.
Despite the high number of victims, a significant portion of the group's leaked datasets appear to be recycled from previous hacktivism campaigns, raising questions about the authenticity of their claims.
The Check Point researchers noted that the group demands unusually low ransoms, sometimes as little as $10,000 and sells stolen data to third parties at reduced prices.
Low-Skilled Operators Tied to Hacktivist Groups
Despite the high numbers of published victims, the Check Point researchers assessed that the reality of FunkSec’s impact is modest, both in terms of actual victims as well as the group’s level of expertise.
FunkSec operations are likely conducted by inexperienced actors linked to hacktivist activity, the researchers judged.
The ransomware group’s tools incorporate those commonly associated with hacktivist activity.
The FunkSec offering includes a custom-developed distributed denial-of-service (DDoS) tool, a tool designed for remote desktop management, automation and data interaction and a smart password generation and scraping tool.
Check Point’s analysis of the group’s public operations and tools highlighted a custom encryptor likely developed by a relatively inexperienced malware author based in Algeria.
Some of the ransomware group’s tooling was likely developed using AI-assisted development solutions, CPR commented.
This use of AI assistance “may have contributed to their rapid iteration despite the author’s apparent lack of technical expertise,” the researchers wrote.
FunkSec has leveraged multiple personas to gain visibility and attempted to associate itself with several now defunct hacktivist groups, including Ghost Algéria and Cyb3r Fl00d.
The group also appears to target organizations in countries aligned with or who support Israel.