In late 2024, a new threat actor known as FunkSec emerged, quickly gaining prominence by claiming over 85 victims in December alone. Operating as a Ransomware-as-a-Service (RaaS), the group employs double extortion tactics, combining data exfiltration with encryption to pressure victims. While the high volume of claimed victims suggests a significant threat, analysis indicates that the group's technical sophistication may be lower than their statistics imply. It is observed that FunkSec likely utilizes LLM-assisted development to rapidly iterate its malware, despite signs of inexperienced authorship. The group's activities blur the boundary between hacktivism and financial cybercrime, with motivations that appear to prioritize visibility over financial gain.
In this blog post, we will profile FunkSec and analyze their Rust-based encryptor, unique low-ransom tactics, and supplementary tools like FDDOS. Also, we will discuss how their LLM-assisted development and operational security failures expose their limited technical sophistication.
FunkSec appears to have extensively leveraged LLMs to enhance their operational capabilities, as evidenced by their publications and tools. To bypass the safety restrictions common in mainstream tools like ChatGPT, FunkSec has utilized the Miniapps platform to build custom AI chatbots specifically for malicious operations. This reliance on artificial intelligence is further evidenced by the linguistic disparity in their public releases; while the group typically communicates in very basic English, their scripts contain extensive, grammatically perfect comments that were likely generated by an LLM agent. Similar indications of LLM assistance appear in the Rust code associated with their ransomware [1].
The data leak site (DLS) for FunkSec was established in December 2024 to centralize operations. The group is distinguished by demanding unusually low ransoms, often as low as $10,000, and selling stolen data at reduced rates [1].
Geographically, entities in the United States and India are claimed to be targeted, often aligning with political movements such as "Free Palestine." Despite these hacktivist postures, the underlying operations remain financially motivated, creating a complex profile that straddles two distinct cybercrime categories [1].
The malware's primary execution logic follows a sequential path: it attempts to disable security controls and then proceeds to the encryption phase. However, the initial step involves verifying the permissions level of the current session [1].
The malware checks for administrative privileges by attempting to execute the net session command.
If the malware is running with standard user privileges, this command returns an "Access is denied" (System error 5) message. Upon detecting this lack of privileges, the binary attempts to relaunch itself with elevated permissions using PowerShell.
|
start-process -wait -Verb runas -filepath '%~nx0' -ArgumentList '<arguments>' |
Once elevated privileges are secured, the ransomware executes a series of commands designed to cripple system defenses, disable logging, and prevent data recovery. These actions are detailed below [1].
|
# Disables Windows Defender real-time protection. |
To ensure files are not locked by active applications during the encryption process, FunkSec utilizes a hardcoded list of processes and services to terminate. This list targets web browsers, communication platforms, development tools, and system utilities [1].
Targeted Processes:
Following system preparation, the malware iterates through all available drive letters. It recursively traverses subdirectories to identify and encrypt files.
The encryption mechanism relies on the ChaCha20 stream cipher, specifically the implementation found in the orion.rs Rust crate. To generate unique encryption parameters, the malware creates ephemeral keys using a lightweight wrapper around the Windows API CryptGenRandom (specifically SystemFunction036) [1].
Encrypted files are renamed using the Rust format! macro, appending the hardcoded extension: .funksec [1].
After encryption is complete, the malware drops a ransom note file. The note is characterized by heavy use of emojis and provides instructions for payment in Bitcoin. The content of the note typically resembles the following text [1]:
|
# ๐ FUNKLOCKER DETECTED ๐ |
Beyond the ransomware executable, several additional tools are distributed by FunkSec [1], often free of charge, which align with hacktivist tactics.
FDDOS is a Python-based network stress-testing tool designed to execute Distributed Denial-of-Service (DDoS) attacks. HTTP and UDP flood methods are supported.
This tool is a C++ Hidden Virtual Network Computing (HVNC) program, comprising both a server and a client. It is used for remote desktop management, allowing actors to interact with a victim's machine without alerting the user.
funkgenerate is a credential scraping and generation tool. It is designed to extract emails from URLs and generate potential password combinations, likely for credential stuffing attacks.
Investigation into the group's online presence reveals a network of personas linked to Algeria [1].
Scorpion (DesertStorm): A central figure in the group. OpSec failures by this actor, such as posting screenshots with French keyboard layouts and Algerian locale settings, provided key attribution data.
El_Farado: A promotional role was taken by this actor after "DesertStorm" was banned from forums. El_Farado's activity included asking basic hacking questions, further supporting the assessment of the group's limited technical expertise.
Affiliations: Links to "Ghost Algรฉria" and "Cyb3r Fl00d" are attempted by the group, with ransom notes sometimes referencing these entities.
We also strongly suggest simulating FunkSec Ransomware Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as HybridPetya, Yurei, BlackNevas, and CyberVolk, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for the FunkSec Ransomware:
|
Threat ID |
Threat Name |
Attack Module |
|
32566 |
FunkSec Ransomware Email Threat |
Network Infiltration |
|
66869 |
FunkSec Ransomware Download Threat |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
[1] โFunkSec โ Alleged Top Ransomware Group Powered by AI,โ Check Point Research. Accessed: Nov. 20, 2025. [Online]. Available: https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/