Full Report
Despite claims to have attacked dozens of victims in the last month, the group likely consists of inexperienced hackers seeking recognition, researchers said.
Analysis Summary
# Threat Actor: FunkSec
## Attribution & Identity
New ransomware group emerged late last year. Believed to consist of inexperienced hackers seeking visibility and recognition. Previous association with hacktivist activities is suspected among some members. The group attempts to associate itself with defunct hacktivist entities like Ghost Algeria and Cyb3r Fl00d, likely to boost credibility. The creator of the latest ransomware version likely operated from Algeria.
## Activity Summary
FunkSec has claimed over 80 victims in just one month (December), making it highly prolific recently. They deploy ransomware, demand very low ransoms (sometimes as low as $10,000), and sell stolen data to third parties at reduced prices. Leaked datasets often appear to be recycled from previous hacktivism campaigns, casting doubt on disclosure authenticity. They also offer services associated with hacktivism, such as DDoS capabilities.
## Tactics, Techniques & Procedures
- Deployment of custom ransomware named FunkSec V1.
- Use of Artificial Intelligence (AI) to quickly develop and improve their ransomware tool (e.g., writing code comments).
- Offering Distributed Denial-of-Service (DDoS) attack services.
- Offering remote desktop management services.
- Offering password generation tools.
- Data exfiltration and sale.
- **Note:** Specific MITRE ATT&CK IDs were not provided in the source material.
## Targeting
- **Sectors:** Travel booking, energy management service, household appliance sales.
- **Geography:** U.S., India, Italy, Brazil, Israel, Spain, and Mongolia.
- **Victims:** Specific victims mentioned include a travel booking company, an energy management service, and a household appliance company. None have publicly confirmed an attack.
## Tools & Infrastructure
- **Malware families used:** FunkSec V1 (Ransomware).
- **Infrastructure (C2, domains, IPs):** None explicitly detailed beyond the ransomware being uploaded from Algeria and the group using an AI chatbot to support operations.
## Implications
FunkSec presents a unique threat profile blending opportunistic cybercrime (low-ransomware demands) with hacktivism, potentially driven by inexperienced actors leveraging AI for rapid development. Their high victim count in a short period suggests they are highly active, though the low ransom demands might lead to high non-payment rates or indicate a strategy focused on volume over high returns. Their association with political causes (allegedly targeting the U.S. and India related to the "Free Palestine" movement) suggests a potential dual motivation or use of political rhetoric to mask opportunistic crime.
## Mitigations
- Enhance monitoring for unusually low ransomware demands, as this may indicate an emerging or opportunistic threat actor.
- Review defensive posture against common commodity malware/ransomware tactics, supplemented by AI-generated code elements.
- Be aware of potential hacktivist alignment or association claims as a means of distraction or credibility building by new actors.
- Review operational security in conjunction with any known hacktivist associated groups mentioned.