Full Report
Key Points Introduction The FunkSec ransomware group first emerged publicly in late 2024, and rapidly gained prominence by publishing over 85 claimed victims—more than any other ransomware group in the month of December. Presenting itself as a new Ransomware-as-a-Service (RaaS) operation, FunkSec appears to have no known connections to previously identified ransomware gangs, and little […] The post FunkSec – Alleged Top Ransomware Group Powered by AI appeared first on Check Point Research.
Analysis Summary
# Threat Actor: FUNKSEC
## Attribution & Identity
FunkSec is an emerging ransomware group that presented itself as a new Ransomware-as-a-Service (RaaS) operation starting operations publicly in late 2024.
* **Known Aliases/Associated Personas:** Scorpionlord, El Farado, XTN.
* **Geographic Origin Hint:** A custom encryptor uploaded from an **Algerian** source.
* **Composition Assessment:** Analysis suggests core operations are likely conducted by relatively inexperienced actors, potentially leveraging AI assistance for tool development.
* **Alleged Motivation Complex:** Activities straddle the line between **hacktivism and cybercrime**. Some members have a prior history in hacktivist activities.
## Activity Summary
FunkSec rapidly gained prominence in December 2024 by publishing over 85 claimed victims—more than any other ransomware group that month.
* Launched a data leak site (DLS) in December 2024 to centralize activities.
* Gained notoriety for aggressive tactics and high volume of claimed victims, though the actual scale may be modest.
* Offered a rapidly evolving custom ransomware as a RaaS, boasting low detection rates (Version V1.5 detected by only 3 AV engines on VirusTotal at one point).
* Leaked datasets are often recycled from previous hacktivism campaigns, raising doubts about disclosure authenticity.
* The group uses double extortion tactics (encryption and data theft).
* Promoted by personas like El Farado on forums like Breached Forum.
## Tactics, Techniques & Procedures
- **Double Extortion:** Combining data encryption with data theft pressure.
- **Ransom Demands:** Demanding unusually low ransoms (sometimes as low as $10,000) and selling stolen data cheaply.
- **Tool Development:** Utilizing AI-assisted malware development to rapidly iterate custom tools (e.g., encryptor written in Rust).
- **DDoS:** The DLS features a custom-developed DDoS tool.
- **OpSec Lapses:** Indicated by rookie behavior from associated personas (e.g., El Farado asking basic hacking questions).
- **MITRE ATT&CK IDs:** Not specified in the text.
## Targeting
- **Sectors:** Not explicitly detailed, but the broad victim count suggests potential targeting across various sectors.
- **Geography:** Claimed victims are distributed globally (Figure 2 distribution mentioned but data not detailed). An encryptor artifact originated from Algeria.
- **Victims:** Over 85 victims claimed in December 2024.
## Tools & Infrastructure
- **Malware Families Used:**
* Custom Ransomware (Rust-based, compiled with extension `.funksec`, e.g., `dev.exe`).
* Custom DDoS tool.
- **Infrastructure:**
* Data Leak Site (.onion site promoted on cybercrime forums).
* Keybase profiles used by key personas (Scorpionlord, El Farado, Blako).
## Implications
FunkSec represents a convergence of cybercrime and hacktivism, leveraging modern development techniques (AI assistance) to create seemingly advanced tools despite apparent operator inexperience. This blurs the traditional assessment lines for ransomware groups, as their visibility relies heavily on self-promotion and potentially inflated victim counts derived from potentially unreliable data leaks.
## Mitigations
- **Verify Claims:** Do not rely solely on published victim counts or threat actor claims when assessing risk; employ objective evaluation techniques.
- **Low Ransom Scrutiny:** Treat unusually low ransom demands with suspicion, as they may indicate a precursor to data leakage rather than a standard negotiation.
- **Monitor AI-Assisted Development:** Be aware of rapidly iterating tooling that may benefit from AI assistance, potentially leading to quick evasion of signature-based defenses.