In December 2024, ransomware attacks soared to an unprecedented high, with 574 recorded incidents marking the busiest month since tracking began in 2021.
Among these, a single group, FunkSec, emerged as the top threat actor, responsible for 18% of all attacks, according to NCC Group’s latest intelligence report.
“This December set an all-time high with 574 ransomware attacks,” the report stated, highlighting the growing aggressiveness of ransomware operators globally. FunkSec’s rapid rise reflects a dangerous shift in cybercrime, driven by AI tools that lower the barriers for entry into sophisticated ransomware operations.
AI Powers FunkSec’s Rapid Rise
FunkSec’s success lies in its innovative use of artificial intelligence (AI) tools to assist in malware development. As the NCC Group noted, “Our findings indicate that the development of FunkSec’s tools, including their encryption malware, was likely AI-assisted. This has enabled rapid iteration cycles despite the apparent lack of technical expertise among its authors.”
By leveraging large language models (LLMs), the group has been able to refine and deploy its tools with unprecedented speed and efficiency.
Related: Phishing Click Rates Triple in 2024 as Cybercriminals Exploit AI
One key feature of FunkSec’s arsenal is their Rust-based ransomware, designed for maximum efficiency and stealth. Rust, a programming language known for its memory safety and low detection rates by antivirus systems, has become a popular choice for malware authors.
FunkSec’s ransomware disables security measures like Windows Defender, erases shadow backups to prevent recovery, and terminates processes associated with essential applications, such as browsers and messaging platforms. Encrypted files are marked with a “.funksec” extension, creating a clear signature of the group’s activities.
Double Extortion and Global Targeting
FunkSec employs double extortion tactics, encrypting data while simultaneously exfiltrating sensitive information. This dual strategy increases pressure on victims, who face not only the loss of access to their data but also the threat of public exposure.
The group operates a Tor-based data leak site where stolen information is auctioned to third parties. Their ransom demands are notably low, often starting at $10,000, signaling a strategy aimed at casting a wide net rather than focusing on high-value targets.
Related: Microsoft Says AI-Driven Cyberattacks Surge to Over 600 Million Daily Incidents
The group’s reach is global, with victims identified across the United States, India, France, and Thailand. Their targets span multiple industries, including healthcare, manufacturing, technology, government, and media. This broad scope underscores their operational versatility and reliance on the anonymity provided by tools like Tor and cryptocurrency.
Hacktivist Origins and Ideological Messaging
FunkSec’s operations are uniquely characterized by a blend of hacktivism and cybercrime. The group has publicly aligned itself with the “Free Palestine” movement, frequently targeting U.S. entities as part of what it describes as an ideological campaign.
In one declaration, they stated, “All our attacks will target America,” citing opposition to U.S. policies and support for Israel. This ideological framing appears to serve a dual purpose: amplifying the group’s visibility while obscuring its financial motives.
Cybersecurity researchers from Check Point Software have noted that FunkSec’s leaked datasets often recycle information from earlier hacktivist campaigns. “Much of the data listed on their leak site appears to have been previously disclosed by other groups,” the researchers observed.
This raises questions about the authenticity of some of their claims and highlights the group’s reliance on borrowed narratives to bolster its reputation.
Technical Sophistication with AI Support
Despite their amateur origins, FunkSec’s use of AI tools has enabled them to develop a ransomware encryptor that rivals those of more established groups. Analysis of their malware revealed repetitive function calls and redundant control flows, indicative of code generated or refined with the assistance of AI.
Researchers from the NCC Group remarked, “This malware exhibits traits of rapid iteration cycles that are uncommon for amateur authors.” This reliance on AI tools not only streamlines development but also allows the group to respond quickly to evolving cybersecurity defenses.
Beyond ransomware, FunkSec offers additional tools designed for cybercriminals, including a Python-based Distributed Denial-of-Service (DDoS) script and an HVNC client for remote desktop management. These tools, coupled with their ideological messaging, create a unique profile that blurs the lines between hacktivism and profit-driven cybercrime.
FunkSec’s roots can be traced to earlier hacktivist operations, including groups like Ghost Algeria and Cyb3r Fl00d. Evidence of overlapping tactics and messaging styles suggests a shared lineage.
Key figures associated with FunkSec, such as the user “DesertStorm,” have inadvertently revealed their location in Algeria, offering insights into the group’s operational base. DesertStorm’s slip-ups, such as posting screenshots with visible French keyboard settings, have provided valuable clues to researchers.
Implications for Cybersecurity
FunkSec’s rise exemplifies a broader trend in ransomware operations: the integration of AI tools to enhance accessibility and scalability. By automating complex tasks, AI enables even low-skilled actors to deploy sophisticated attacks. As the NCC Group warned, “As AI and machine learning become more developed and accessible, attackers will increasingly utilize the efficiency gains they provide.”
The group’s activities highlight the growing challenge for cybersecurity professionals. Traditional methods of threat detection and response may struggle to keep pace with the rapid evolution of AI-driven malware.
