FunkSec – Alleged Top Ransomware Group Powered by AI (research.checkpoint.com)

FunkSec is a fast-rising ransomware group that surfaced in late 2024 and claimed more than 85 victims in December, touting itself as a new RaaS operator. Their public offerings include a custom ransomware written in Rust (files compiled on a machine path C:\Users\Abdellah\), using hybrid RSA+AES encryption that replaces originals with .funksec files and drops ransom notes; prototype source (ransomware.rs) and a sample dev.exe were uploaded from Algerian sources and initially detected by only three AV engines on VirusTotal. FunkSec also markets ancillary hacking tools: FDDOS (Python DDoS), a C++ HVNC remote client/server, and “funkgenerate” for scraping and password generation. The group mixes hacktivist branding (ties to “Free Palestine,” Ghost Algéria references) with criminal double‑extortion tactics, low ransom demands and data resale; many leaks appear recycled from prior hacktivist dumps, casting doubt on their claims. Key personas include Scorpion/DesertStorm, El_Farado and XTN. The most consequential detail is evidence FunkSec used AI-assisted development to produce and iterate malware quickly—lowering technical barriers so inexperienced actors can produce functional encryptors and infrastructure. That accelerates tool churn, complicates attribution, and can help evade signature-based detection (as shown by low VT hits). For defenders and researchers this means public claim counts are unreliable; threat assessment must rely more on objective telemetry, behavioral detection, robust backups, segmentation, and forensic analysis that anticipates AI‑augmented authoring and rapid variant emergence.