Cybersecurity researchers have revealed the emergence of FunkSec, an AI-assisted ransomware group that has targeted over 85 victims since its inception in late 2024. This group employs double extortion tactics, combining data theft with encryption to pressure victims into paying ransoms. FunkSec has demanded relatively low ransoms, sometimes as little as $10,000, and has sold stolen data to third parties at significantly reduced prices. Their operations, launched in December 2024, include a data leak site, a custom tool for distributed denial-of-service (DDoS) attacks, and a ransomware-as-a-service (RaaS) model.
Victims of FunkSec are predominantly located in the U.S., India, Italy, Brazil, Israel, Spain, and Mongolia. While their activities are indicative of novice cybercriminals seeking notoriety, FunkSec has been found to recycle leaked information from previous hacktivist attacks. This group also acts as a data broker, selling stolen data for prices ranging from $1,000 to $5,000. FunkSec’s activities blur the lines between hacktivism and cybercrime, with the group aligning itself with political causes like the “Free Palestine” movement and associating with now-defunct hacktivist groups such as Ghost Algeria and Cyb3r Fl00d.
Some members of FunkSec have been identified, including Scorpion, an Algeria-based actor, and El_farado, a prominent figure in advertising the group after Scorpion’s ban from Breached Forum. The group’s involvement in hacktivist activities is further evidenced by their use of DDoS attack tools and software related to remote desktop management. FunkSec’s use of artificial intelligence (AI) to develop and enhance its ransomware and tools, including the encryptor, suggests rapid iteration despite the attackers’ apparent lack of technical expertise.
FunkSec’s ransomware, now in its V1.5 version, is written in Rust and has been associated with the names FunkLocker and Ghost Algeria. The ransomware performs a series of steps to disable security controls, delete backups, and encrypt targeted files. While the group claims to target victims in countries like the U.S. and India, its activities are driven by both political motives and financial incentives. Despite their success in 2024, FunkSec’s future remains uncertain, with the group’s potential to sustain its operations or achieve significant long-term success yet to be fully realized.
