{ "id": "a2b6e5bd-5bf5-4f8b-9d3d-f3827e6795ff", "created_at": "2026-04-06T00:17:38.295093Z", "updated_at": "2026-04-10T03:31:48.983821Z", "deleted_at": null, "sha1_hash": "21184f85b7f48469a573125e07ba916f61393a9f", "title": "Take Me Down to Funksec Town: Funksec Ransomware DLS Emergence - CYJAX", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 442683, "plain_text": "Take Me Down to Funksec Town: Funksec Ransomware DLS\r\nEmergence - CYJAX\r\nBy Adam Price, Ethan Spiteri\r\nPublished: 2024-12-03 · Archived: 2026-04-02 11:38:06 UTC\r\nCyjax has continued to observe the emergence of data-leak sites (DLSs) for extortion and ransomware groups,\r\nwith ContFR, Argonauts, Kairos, Chort, and Termite, appearing November 2024 alone. Cyjax has identified the\r\nemergence of a Tor-based DLS belonging to a new, self-called “cybercrime group” named ‘Funksec’. This group\r\nhas claimed 11 victims so far and advertises a free Distributed Denial-of-Service (DDoS) tool.\r\nRead on to find out what Cyjax knows so far about this new threat group. \r\nFigure 1 –Funksec DLS landing page.\r\nContext \r\nRansomware-as-a-service operations commonly use DLS to further extort victims, typically proceeding in multiple\r\nstages. The first threat is that the victim’s name and news of a successful attack against it will be published on the\r\nextortion group’s website. Should this fail to motivate a victim to pay a ransom, the group’s next step is typically to\r\nprovide proof of the successful theft of its data. This proof may include screenshots of internal file trees, samples\r\nof employee or customer PII, or other sensitive documents. The group may add a countdown at this stage, noting\r\nthat should the victim fail to pay by the conclusion, it will make all stolen data available to DLS visitors, either for\r\nfree or at cost.  \r\nVictimology \r\nhttps://www.cyjax.com/resources/blog/take-me-down-to-funksec-town-funksec-ransomware-dls-emergence/\r\nPage 1 of 5\n\nFunkSec has claimed 11 victims as of 3 December 2024, which span the media, IT, retail, education, automotive,\r\nprofessional services, and NGO sectors across the United States, Tunisia, India, France, Thailand, Peru, Jordan,\r\nand United Arab Emirates.\r\nAs the group is advertised as a ransomware group, and there is a “RANSOM” page in the DLS, it is likely that the\r\ngroup uses a double extortion method. This involves the group both encrypting and exfiltrating files on victim\r\ndevices.\r\nKnown locations \r\nFunksec’s DLS was likely created in September 2024, and the group appears to have been active since this date.\r\nOne advertisement for the DLS was shared to a cybercriminal forum on 3 December 2024.\r\nFigure 2 – Post on cybercriminal forum advertising Funksec’s DLS.\r\nThe advertisement was titled “Funksec Ransomware”, indicating that the group’s main motivation is financial gain\r\nthrough victim extortion. It is currently unknown whether the user ‘Scorpionlord’ is a spokesperson of the group,\r\nan affiliate, operator, or actively involved in the attacks.\r\nFunksec is also active on another cybercriminal forum with several users posting as early as September 2024.\r\nThese users have posted data breaches attributed to “Funksec group” and have high reputation scores, indicating a\r\nlevel of credibility to the threat group and its attacks.\r\nhttps://www.cyjax.com/resources/blog/take-me-down-to-funksec-town-funksec-ransomware-dls-emergence/\r\nPage 2 of 5\n\nFigure 3 – Screenshot of Funksec breach post on cybercriminal forum\r\nThe DLS consists of three main pages, named “BREACH”, “TOOLS”, and “RANSOM”.\r\nBREACH (landing page)\r\nThe ’BREACH’ page is the DLS’ landing page, containing links to pages for each successful attack listing.\r\nThese links contain a logo or banner of the victim organisation, its name, and an indication that the breach is\r\ncomplete, or “done”.\r\nFigure 4 – Victim listings on the Funksec DLS.\r\nRANSOM\r\nCurrently, this page does not have any content, simply stating “comming [sic] soon …”. Due to the new\r\nappearance of Funksec in the threat landscape, it is highly likely that this page will be populated as the group\r\ncontinues to conduct ransomware attacks.\r\nFigure 7 – “RANSOM” page on Funksec’s DLS.\r\nLeak listings\r\nFor listings in which the breach status is “done”, visitors can access a page for each victim.\r\nhttps://www.cyjax.com/resources/blog/take-me-down-to-funksec-town-funksec-ransomware-dls-emergence/\r\nPage 3 of 5\n\nThese pages contain further information about the victim organisation, the leaked data, and a download link for\r\nthe leak. Each listing uses file sharing platforms such as fastupload and gofile, rather than a self-hosted content\r\ndistribution network.\r\nFigure 8 – Listing information page on Funksec’s DLS.\r\nTactics, techniques, and procedures (TTPs)  \r\nDue to the recent emergence of the group, little publicly available information exists surrounding Funksec’s TTPs.\r\nThe existence of data leaks implies the use of double extortion in its ransomware attacks. As the group has\r\nallegedly developed its own DDoS tool, it is realistically possible that it might use this tool in its own attacks.\r\nNo information regarding an initial access vector is known. However, ransomware groups often gain initial access\r\nthrough commonly used techniques such as vulnerability exploitation, brute forcing credentials, or purchasing\r\naccess from initial access brokers (IABs) on cybercriminal forums. \r\nAssociations  \r\nAt the time of writing, Funksec is not known to be associated with any other known threat groups. If the forum\r\nusers continue to post on behalf or relating to Funksec, it is likely that they are a spokesperson or operator of the\r\nransomware operation.  \r\nThreat assessment \r\nFunksec appears to have significant technical capability, possibly creating its own ransomware binary and DDoS\r\ntool. There are 11 public attack announcements, and the group operates a functional Tor-based DLS to centralise\r\nits ransomware operation and post data leaks from successful attacks. As more victims are added to this DLS, the\r\nprevalence and associated threat of the group is likely to increase.\r\nhttps://www.cyjax.com/resources/blog/take-me-down-to-funksec-town-funksec-ransomware-dls-emergence/\r\nPage 4 of 5\n\nExplore our complete intelligence repository, featuring detailed profiles on extortion groups, APTs, data brokers,\r\nhacktivists, initial access brokers, and more. Click here to demo Cymon\r\nThank you! Your submission has been received!\r\nOops! Something went wrong while submitting the form.\r\nSource: https://www.cyjax.com/resources/blog/take-me-down-to-funksec-town-funksec-ransomware-dls-emergence/\r\nhttps://www.cyjax.com/resources/blog/take-me-down-to-funksec-town-funksec-ransomware-dls-emergence/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.cyjax.com/resources/blog/take-me-down-to-funksec-town-funksec-ransomware-dls-emergence/" ], "report_names": [ "take-me-down-to-funksec-town-funksec-ransomware-dls-emergence" ], "threat_actors": [ { "id": "13623ffb-4701-4f3d-bf32-8826346433ac", "created_at": "2024-12-21T02:00:02.850766Z", "updated_at": "2026-04-10T02:00:03.784245Z", "deleted_at": null, "main_name": "FunkSec", "aliases": [], "source_name": "MISPGALAXY:FunkSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fbc8fca3-a0bd-4148-99cf-9e6bae3a6f45", "created_at": "2024-11-16T02:00:03.816535Z", "updated_at": "2026-04-10T02:00:03.775543Z", "deleted_at": null, "main_name": "Kairos", "aliases": [], "source_name": "MISPGALAXY:Kairos", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434658, "ts_updated_at": 1775791908, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/21184f85b7f48469a573125e07ba916f61393a9f.pdf", "text": "https://archive.orkl.eu/21184f85b7f48469a573125e07ba916f61393a9f.txt", "img": "https://archive.orkl.eu/21184f85b7f48469a573125e07ba916f61393a9f.jpg" } }