AI-Driven Ransomware FunkSec Targets 85 Victims Using Double Extortion Tactics

FunkSec Ransomware: AI Tactics and Analysis

Emergence and Operations

FunkSec, a newly identified ransomware group, emerged in late 2024 and has already claimed more than 85 victims, primarily in the U.S., India, Italy, Brazil, Israel, Spain, and Mongolia. This group is notable for its use of artificial intelligence (AI) in its operations and its adoption of double extortion tactics13.

AI-Driven Tactics

• AI-Assisted Tools: The development of FunkSec's tools, including the ransomware encryptor, is believed to be AI-assisted. This has enabled the group to rapidly iterate and improve their malware despite the apparent lack of technical expertise among the authors1.
• Ransomware-as-a-Service (RaaS) Model: FunkSec operates under a RaaS model, centralizing their operations through a data leak site (DLS) launched in December 2024. This site includes tools for conducting distributed denial-of-service (DDoS) attacks and bespoke ransomware tools1.

Double Extortion and Additional Tactics

• Double Extortion: FunkSec combines data theft with encryption, threatening to leak sensitive data if ransom demands are not met. They also sell stolen data to third parties at reduced prices, often demanding relatively low ransoms, sometimes as little as $10,0001.
• DDoS Attacks: The group uses DDoS attacks as an additional pressure tactic to coerce victims into paying ransoms. This is facilitated through tools available on their DLS1.
• Hacktivist Activities: There is evidence that FunkSec may be involved in hacktivist activities, aligning themselves with movements like "Free Palestine" and associating with defunct hacktivist entities. Tools related to remote desktop management and password generation are also part of their arsenal1.

Key Actors and Affiliations

• Suspected Actors: Notable actors associated with FunkSec include Scorpion (aka DesertStorm), El_farado, XTN, Blako, and Bjorka. These individuals have been involved in promoting the group on underground forums and claiming leaks attributed to FunkSec1.

Technical Details

• Malware Details: The latest version of the ransomware, FunkSec V1.5, is written in Rust and has been uploaded to the VirusTotal platform from Algeria. The malware elevates privileges, disables security controls, deletes shadow copy backups, and terminates specific processes and services before encrypting files1.

Emerging Ransomware Threats in 2024

General Trends

• Ransomware-as-a-Service (RaaS): 2024 saw a significant increase in RaaS activities, contributing to a 57.8% rise in companies listed on data leak sites. New groups like RansomHub emerged, highlighting the ongoing threat of RaaS2.
• AI-Facilitated Attacks: Generative AI (GenAI) played a crucial role in cyberattacks throughout 2024, enabling highly convincing and scalable social engineering campaigns. This trend is expected to continue into 20252.

Specific Threats

• Man-in-the-Middle (MiTM) and Adversary-in-the-Middle (AiTM) Attacks: MiTM attacks, including the more sophisticated AiTM attacks, were prevalent in 2024. These attacks evade multifactor authentication (MFA) and are expected to become more common in 20252.
• Encryption-Less Ransomware: There is a growing trend towards "encryption-less" ransomware attacks, where threat actors extort victims by stealing large volumes of data without encrypting it, thus avoiding major disruption and law enforcement attention2.

Countermeasures and Prevention

AI-Based Solutions

• AI-Powered Cybersecurity: To combat modern ransomware, AI-based technologies are proving effective. These solutions can target vulnerabilities in real-time and are essential for preventing attacks that combine multiple variants of malware4.

Comprehensive Strategies

• Training and Backups: Employee training, comprehensive backups, and adequate cybersecurity tools are crucial in preventing ransomware attacks. This includes firewalls, Endpoint Detection and Response (EDR) products, and anti-data exfiltration tools4.
• Zero Trust Architecture: Adopting a zero trust architecture and stronger forms of MFA, such as FIDO2-compliant methods, is recommended to counter evolving threats like AiTM phishing attacks2.

In summary, FunkSec represents a new and evolving threat in the ransomware landscape, leveraging AI and double extortion tactics to coerce victims. As ransomware threats continue to evolve, organizations must prioritize AI-based cybersecurity solutions, comprehensive training, and robust security architectures to mitigate these risks.