FunkSec ransomware is a relatively new ransomware-as-a-service (RaaS) group with hacktivist ties that appears to use AI to assist its cybercrime activities, Check Point Research outlined in an analysis published Friday.
The group was first introduced in October 2024 in a post on the Breached forum and first established its data leak site in December 2024. One of the group’s first actions was to post a purported leaked call between then-U.S. presidential candidate Donald Trump and Israeli Prime Minister Benjamin Netanyahu, which was “clearly AI-generated,” according to Check Point.
Last month, in the first month of the FunkSec leak site’s existence, the group posted more claimed victims than any other ransomware gang that month — a total of 85 in December. However, researchers noted that many of the leaks appeared to be recycled from past hacktivism campaigns, corroborating the group’s hacktivist ties and raising doubt about their experience and aptitude as a ransomware threat actor.
Inexperienced hacktivists turned ransomware wannabes
CheckPoint uncovered connections between FunkSec and hacktivism actors, particularly a now-defunct group called Ghost Algéria whose name appeared in a near-identical ransom note to that dropped by the FunkSec ransomware. The researchers also identified several individuals tied to FunkSec, who appeared to work together to promote the group’s activities on cybercrime platforms including the Breached forum.
Tracking the activities of FunkSec’s associates revealed a pattern of amateurish activity; one of the gang’s first promoters, known as Scorpion or DesertStorm, revealed their location in Algeria in a publicly posted screenshot and was eventually banned from the Breached forum in November 2024. Another key figure, El_farado, made several posts asking basic questions such as what hackers should do with data they steal.
A technical analysis of the FunkSec ransomware, which had samples and parts of its source code apparently uploaded to VirusTotal by the threat actors themselves, revealed a high amount of redundancy, with functions being called multiple times from different execution paths where they would normally be called once in typical ransomware.
In addition to its custom ransomware, FunkSec offers other tools, including a Python-based distributed denial-of-service (DDoS) tool using HTTP or UDP flood methods, a password generation and scraping tool called funkgenerate and a tool designed for remote desktop management called JQRAXY_HVNC.
Solidifying its hacktivism angle, FunkSec claims to primarily target the United States due to the country’s support for Isreal, although the 85 victims it’s claimed span the United States, India, Italy, Brazil, Isreal, Spain, Mongolia and various other countries.
FunkSec code shows signs of AI assistance
FunkSec is known to use AI tools to aid in its cybercrime activities, including a cybercrime-focused custom chatbot the group created through the Miniapps chatbot platform. The group has also previously posted ChatGPT-generated summaries of its ransomware capabilities on its site, apparently generated by uploading the ransomware binary to the service.
Check Point noted that signs of AI use can also be found in the code of FunkSec’s publicly available tools, namely the presence of detailed comments written in “perfect English” while other posts by FunkSec actors have shown limited English-speaking skills. This is also true of the Rust-based ransomware source code used by the group.
FunkSec frequently updates its ransomware offering, sometimes every few days, with the latest version FunkSec V1.5 boasting a low detection rate by antivirus services. FunkSec advertised this by showing a screenshot from VirusTotal indicating only three antivirus services detected its code as malicious — corroborating the suspicion that FunkSec uploaded its own samples to the site.
The Rust ransomware has basic encryption, privilege escalation and security disabling capabilities, encrypting all directories using ChaCha20 and killing a hardcoded list of processes as well as blacking out the desktop wallpaper and dropping a ransom note filled with emojis. FunkSec often demands unusually low ransoms, as little as $10,000, and sells stolen data at reduced prices, Check Point noted.
“FunkSec’s operations highlight the role of AI in malware development, the overlap between hacktivism and cybercrime, and the challenges in verifying leaked data. It also raises questions about how we assess the threat posed by ransomware groups, as we often rely on the groups’ own claims,” Check Point concluded. “These findings reflect a changing threat landscape, where even low-skill actors can make use of accessible tools to cast a very large shadow.”
