Cybersecurity firm Gen Digital has delivered a significant victory for victims of ransomware by releasing a free decryptor for the FunkSec strain. This tool, now available to the public, enables individuals and organizations hit by the ransomware to regain access to their files without paying a ransom. The release follows a period of inactivity from the group, which has not been linked to any new attacks since March 18, 2025. “Because the ransomware is now considered dead, we released the decryptor for public download,” stated Gen Digital researcher Ladislav Zezula, signaling an end to this particular digital threat.
FunkSec first appeared in late 2024 and quickly accumulated 172 victims, according to data from Ransomware.live.
The group’s operations were geographically concentrated, with the majority of targets located in the United States, India, and Brazil. The attackers primarily focused on the technology, government, and education sectors. It is widely believed that FunkSec was operated by inexperienced hackers, more interested in gaining notoriety than financial profit, a theory supported by their practice of uploading datasets from previous, unrelated hacktivism campaigns to their leak site.
An analysis by Check Point earlier this year uncovered evidence suggesting the ransomware’s encryptor may have been developed with the help of artificial intelligence tools.
The ransomware itself was built using Rust, a modern programming language prized for its speed and ability to evade detection, a feature it shares with other prominent ransomware families like BlackCat and Agenda. FunkSec utilized the orion-rs library for its encryption routine, specifically employing the $ChaCha20$ and $Poly1305$ algorithms to lock victim data. Zezula explained that this method encrypts files in 128-byte blocks and adds 48 bytes of metadata to each block, causing encrypted files to be approximately 37% larger than the original files.
The new decryption tool is available through the No More Ransom project, a collaborative initiative aimed at helping ransomware victims recover their data for free. Gen Digital has not publicly disclosed the methods used to create the decryptor, leaving it unclear whether their team discovered a critical cryptographic weakness in the ransomware’s code or obtained the keys through other means. The lack of detail is common in such releases to protect sensitive methods from being patched by other malicious actors.
For victims seeking to use the tool, it is crucial to first verify that their files were encrypted by FunkSec, which can typically be identified by the .funksec file extension or by the specific metadata padding the ransomware adds. The No More Ransom portal provides instructions for using the decryptor. However, as a critical precaution, cybersecurity experts strongly advise all victims to create a complete backup of their encrypted files before attempting the decryption process to prevent potential data loss in the event of an incomplete or corrupted recovery.
Reference:
