X-Industry

AI-Driven FunkSec Ransomware

Posted by Jim McKee on January 22, 2025 at 12:00pm

13420481696?profile=RESIZE_400xCybersecurity researchers have reported that artificial intelligence (AI) assisted with ransomware called FunkSec, which entered the market in late 2024 and claimed more than 85 victims. "The group uses double extortion tactics, combining data theft with encryption to pressure victims into paying ransoms," Check Point Research said in a new report from The Hacker News. "Notably, FunkSec demanded unusually low ransoms, sometimes as little as $10,000, and sold stolen data to third parties at reduced prices." FunkSec launched its data leak site (DLS) in December 2024 to "centralize" its ransomware operations, highlighting breach announcements, a custom tool to conduct distributed denial-of-service (DDoS) attacks, and bespoke ransomware as part of a ransomware-as-a-service (RaaS) model.

Most of the victims are in the US, India, Italy, Brazil, Israel, Spain, and Mongolia. Check Point's analysis of the group's activity has revealed that it may be the likely work of novice actors seeking to attract notoriety by recycling the leaked information from previous hacktivist-related leaks. According to Halcyon, FunkSec is notable because it functions as a ransomware group and data broker, peddling stolen data to interested buyers for $1,000 to $5,000.

It has been determined that some members of the Ransomware as a Service (RaaS) group engaged in hacktivist activities, underscoring a continued blurring of boundaries between hacktivism and cybercrime, just as nation-state actors and organized cybercriminals are increasingly exhibiting an "unsettling convergence of tactics, techniques, and even objectives."

They also claim to target India and the US, aligning themselves with the "Free Palestine" movement and attempting to associate with now-defunct hacktivist entities like Ghost Algeria and Cyb3r Fl00d. Some of the prominent actors associated with FunkSec are listed below:

  • A suspected Algeria-based actor named Scorpion (aka DesertStorm) has promoted the group on underground forums such as Breached Forum.
  • El_farado, who emerged as a central figure advertising FunkSec after DesertStorm's ban from Breached Forum.
  • XTN is a likely associate involved in an as-yet-unknown "data-sorting" service.
  • Blako, who DesertStorm has tagged along with El_farado.
  • Bjorka, a known Indonesian hacktivist whose alias has been used to claim leaks attributed to FunkSec on DarkForums, either pointing to a loose affiliation or their attempts to impersonate FunkSec.

The possibility that the group may also be involved in hacktivist activity is evidenced by the presence of DDoS attack tools and those related to remote desktop management (JQRAXY_HVNC) and password generation (fun generate). "The development of the group's tools, including the encryptor, was likely AI-assisted, which may have contributed to their rapid iteration despite the author's apparent lack of technical expertise," Check Point pointed out.

The latest ransomware version, FunkSec V1.5, is written in Rust, with the artifact uploaded to the VirusTotal platform from Algeria. An examination of older malware versions suggests that the threat actor is also from Algeria, owing to FunkLocker and Ghost Algeria references. The ransomware binary is configured to iterate over all directories and encrypt the targeted files recursively, but not before elevating privileges and taking steps to disable security controls, delete shadow copy backups, and terminate a hard-coded list of processes and services.

"2024 was a very successful year for ransomware groups, while in parallel, the global conflicts also fueled the activity of different hacktivist groups," Sergey Shykevich, threat intelligence group manager at Check Point Research, said in a statement. "FunkSec, a new group that emerged lately as the most active ransomware group in December 2024, blurs the lines between hacktivism and cybercrime. Driven by political agendas and financial incentives, FunkSec leverages AI and repurposes old data leaks to establish a new ransomware brand. However, the real success of their activities remains highly questionable."

The development comes as researchers detailed a Hunters International attack that likely leveraged Oracle WebLogic Server as an initial entry point to drop a China Chopper web shell, which was then used to perform a series of post-exploitation activities that ultimately led to the deployment of the ransomware. After gaining access, the attackers conducted reconnaissance and lateral movement to map the network and escalate privileges. The attackers used various standard administrative and red teaming tools for lateral movement.

 

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5207428251321676122

Views: 26
Tags: tr-25-017-003, ai, funksec, ransomware, denial-of-service attacks (ddos), ransomware-as-a-service (raas), cybercriminals, desertstorm
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!