FunkSec RaaS Operations: Hacktivism Meets Cybercrime

In late 2024, a new threat actor known as FunkSec emerged, quickly gaining prominence by claiming over 85 victims in December alone. Operating as a Ransomware-as-a-Service (RaaS), the group employs double extortion tactics, combining data exfiltration with encryption to pressure victims. While the high volume of claimed victims suggests a significant threat, analysis indicates that the group's technical sophistication may be lower than their statistics imply. It is observed that FunkSec likely utilizes LLM-assisted development to rapidly iterate its malware, despite signs of inexperienced authorship. The group's activities blur the boundary between hacktivism and financial cybercrime, with motivations that appear to prioritize visibility over financial gain.

In this blog post, we will profile FunkSec and analyze their Rust-based encryptor, unique low-ransom tactics, and supplementary tools like FDDOS. Also, we will discuss how their LLM-assisted development and operational security failures expose their limited technical sophistication.

How Does FunkSec Conduct Operations?

FunkSec appears to have extensively leveraged LLMs to enhance their operational capabilities, as evidenced by their publications and tools. To bypass the safety restrictions common in mainstream tools like ChatGPT, FunkSec has utilized the Miniapps platform to build custom AI chatbots specifically for malicious operations. This reliance on artificial intelligence is further evidenced by the linguistic disparity in their public releases; while the group typically communicates in very basic English, their scripts contain extensive, grammatically perfect comments that were likely generated by an LLM agent. Similar indications of LLM assistance appear in the Rust code associated with their ransomware [1].

The data leak site (DLS) for FunkSec was established in December 2024 to centralize operations. The group is distinguished by demanding unusually low ransoms, often as low as $10,000, and selling stolen data at reduced rates [1].

Geographically, entities in the United States and India are claimed to be targeted, often aligning with political movements such as "Free Palestine." Despite these hacktivist postures, the underlying operations remain financially motivated, creating a complex profile that straddles two distinct cybercrime categories [1].

How Does the FunkSec Ransomware Execute?

The malware's primary execution logic follows a sequential path: it attempts to disable security controls and then proceeds to the encryption phase. However, the initial step involves verifying the permissions level of the current session [1].

The malware checks for administrative privileges by attempting to execute the net session command.

If the malware is running with standard user privileges, this command returns an "Access is denied" (System error 5) message. Upon detecting this lack of privileges, the binary attempts to relaunch itself with elevated permissions using PowerShell.

start-process -wait -Verb runas -filepath '%~nx0' -ArgumentList '<arguments>'

Once elevated privileges are secured, the ransomware executes a series of commands designed to cripple system defenses, disable logging, and prevent data recovery. These actions are detailed below [1].

# Disables Windows Defender real-time protection.
Set-MpPreference -DisableRealtimeMonitoring $true

# Disables logging for the Security event log.
wevtutil sl Security /e:false

# Disables logging for the Application event log.
wevtutil sl Application /e:false

# Overrides PowerShell execution policies to allow script execution.
Set-ExecutionPolicy Bypass -Scope Process -Force

# Deletes Volume Shadow Copies to prevent system restoration.
vssadmin delete shadows /all /quiet

To ensure files are not locked by active applications during the encryption process, FunkSec utilizes a hardcoded list of processes and services to terminate. This list targets web browsers, communication platforms, development tools, and system utilities [1].

Targeted Processes:

Browsers: chrome.exe, firefox.exe, msedge.exe
System/Tools: explorer.exe, taskmgr.exe, cmd.exe, powershell.exe, notepad.exe
Applications: outlook.exe, vlc.exe, spotify.exe, skype.exe, discord.exe, steam.exe, wmplayer.exe
Runtimes: java.exe, python.exe, node.exe
Services: spooler, bits, dnsclient, lanmanworkstation, winmgmt, netsh, iphlpsvc, wuauserv, RemoteAccess, ShellHWDetection, SCardSvr, TrkWks, wscsvc, CryptSvc, msiserver, MpsSvc, defragsvc, upnphost, WindowsUpdate, srservice, wsmprovhost, AppIDSvc, AudioEndpointBuilder, Schedule, eventlog, PlugPlay, Netman, bthserv, ShellExperienceHost, SMB, WinDefend (and tscon.exe).

Following system preparation, the malware iterates through all available drive letters. It recursively traverses subdirectories to identify and encrypt files.

The encryption mechanism relies on the ChaCha20 stream cipher, specifically the implementation found in the orion.rs Rust crate. To generate unique encryption parameters, the malware creates ephemeral keys using a lightweight wrapper around the Windows API CryptGenRandom (specifically SystemFunction036) [1].

Encrypted files are renamed using the Rust format! macro, appending the hardcoded extension: .funksec [1].

After encryption is complete, the malware drops a ransom note file. The note is characterized by heavy use of emojis and provides instructions for payment in Bitcoin. The content of the note typically resembles the following text [1]:

# 🔒 FUNKLOCKER DETECTED 🔒

✨ **Congratulations** ✨ Your organization, device has been fully infiltrated by funksec ransomware!

## 🛑 **Stop**

- Do NOT attempt to tamper with files or systems.
- Do NOT contact law enforcement or seek third-party intervention.
- Do NOT attempt to trace funksec's activities.

## 📚 **What happened**

- Nothing, just you lost your data to ransomware and can't restore it without a decryptor.
- We stole all your data.
- No anti-virus will restore it; this is an advanced ransomware.

## 💸 **Ransom Details**

- Decryptor file fee: **0.1 BTC**
- Bitcoin wallet address: `bc1qrghnt6cqdsxt0qmlcaq0wcavq6pmfm82vtxfeq`
- Payment instructions:
1. Buy 0.1 bitcoin.
2. Install session from: https://getsession.org/
3. Contact us with this ID to receive the decryptor: 0538d726ae3cc264c1bd8e66c6c6fa366a3dfc589567944170001e6fdbea9efb3d

## 📚 **How to buy bitcoin**

- Go to [Coinbase](https://www.coinbase.com/) or any similar website like [Blockchain](https://www.blockchain.com/), use your credit card to buy bitcoin (0.1 BTC), and then send it to the wallet address.

What Additional Tools Does the Group Utilize?

Beyond the ransomware executable, several additional tools are distributed by FunkSec [1], often free of charge, which align with hacktivist tactics.

FDDOS (Scorpion DDoS Tool)

FDDOS is a Python-based network stress-testing tool designed to execute Distributed Denial-of-Service (DDoS) attacks. HTTP and UDP flood methods are supported.

JQRAXY_HVNC

This tool is a C++ Hidden Virtual Network Computing (HVNC) program, comprising both a server and a client. It is used for remote desktop management, allowing actors to interact with a victim's machine without alerting the user.

funkgenerate

funkgenerate is a credential scraping and generation tool. It is designed to extract emails from URLs and generate potential password combinations, likely for credential stuffing attacks.

Who Are the Threat Actors Behind FunkSec?

Investigation into the group's online presence reveals a network of personas linked to Algeria [1].

Scorpion (DesertStorm): A central figure in the group. OpSec failures by this actor, such as posting screenshots with French keyboard layouts and Algerian locale settings, provided key attribution data.
El_Farado: A promotional role was taken by this actor after "DesertStorm" was banned from forums. El_Farado's activity included asking basic hacking questions, further supporting the assessment of the group's limited technical expertise.
Affiliations: Links to "Ghost Algéria" and "Cyb3r Fl00d" are attempted by the group, with ransom notes sometimes referencing these entities.

How Picus Simulates FunkSec Ransomware Attacks?

We also strongly suggest simulating FunkSec Ransomware Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as HybridPetya, Yurei, BlackNevas, and CyberVolk, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the FunkSec Ransomware:

Threat ID	Threat Name	Attack Module
32566	FunkSec Ransomware Email Threat	Network Infiltration
66869	FunkSec Ransomware Download Threat	Network Infiltration

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

FunkSec is a Ransomware-as-a-Service group that emerged in late 2024, characterizing itself by high victim volume despite low technical sophistication.
The group extensively leverages LLM-assisted development to generate code and communications, utilizing custom chatbots to bypass standard safety restrictions.
Their operations blur the lines between financial crime and hacktivism, targeting specific geopolitical regions while demanding unusually low ransom payments.
The primary malware is a Rust-based encryptor that employs double extortion tactics, utilizing the ChaCha20 cipher to lock files after disabling system defenses.
Beyond ransomware, the group distributes supplementary tools for Distributed Denial-of-Service attacks, remote desktop management, and credential scraping.
Operational security failures and digital footprints link the threat actors to Algeria, revealing a network of inexperienced individuals rather than advanced persistent threats.

References

[1] “FunkSec – Alleged Top Ransomware Group Powered by AI,” Check Point Research. Accessed: Nov. 20, 2025. [Online]. Available: https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/