{ "id": "16c965a4-8529-4ab2-b3f6-34ac2d8a1a79", "created_at": "2026-04-06T00:07:34.94601Z", "updated_at": "2026-04-10T13:13:01.59352Z", "deleted_at": null, "sha1_hash": "3d21ee038a509724bab0bc79ccf51c7223d87e93", "title": "FunkSec – Alleged Top Ransomware Group Powered by AI", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 92770, "plain_text": "FunkSec – Alleged Top Ransomware Group Powered by AI\r\nBy stcpresearch\r\nPublished: 2025-01-10 · Archived: 2026-04-05 23:01:36 UTC\r\nKey Points\r\nThe FunkSec ransomware group emerged in late 2024 and published over 85 victims in December, surpassing every\r\nother ransomware group that month.\r\nFunkSec operators appear to use AI-assisted malware development which can enable even inexperienced actors to\r\nquickly produce and refine advanced tools.\r\nThe group’s activities straddle the line between hacktivism and cybercrime, complicating efforts to understand their\r\ntrue motivations.\r\nMany of the group’s leaked datasets are recycled from previous hacktivism campaigns, raising doubts about the\r\nauthenticity of their disclosures.\r\nCurrent methods of assessing ransomware group threats often rely on the actors’ own claims, highlighting the need\r\nfor more objective evaluation techniques.\r\nIntroduction\r\nThe FunkSec ransomware group first emerged publicly in late 2024, and rapidly gained prominence by publishing over 85\r\nclaimed victims—more than any other ransomware group in the month of December. Presenting itself as a new\r\nRansomware-as-a-Service (RaaS) operation, FunkSec appears to have no known connections to previously identified\r\nransomware gangs, and little information is currently available about its origins or operations.\r\nOur analysis of the group’s activity indicates that the impressive numbers of published victims may mask a more modest\r\nreality both in terms of actual victims as well as the group’s level of expertise. Most of FunkSec’s core operations are likely\r\nconducted by inexperienced actors. In addition, it is difficult to verify the authenticity of the leaked information as the\r\ngroup’s primary goal appears to be to gain visibility and recognition. Evidence suggests that in some instances, the leaked\r\ninformation was recycled from previous hacktivist-related leaks, raising questions about its authenticity.\r\nIn this report, we explore FunkSec’s ties to hacktivist activity and provide an in-depth analysis of the group’s public\r\noperations and tools, including a custom encryptor likely developed by a relatively inexperienced malware author based in\r\nAlgeria. In a surprising discovery, our findings indicate that the development of the group’s tools, including the encryptor,\r\nwas likely AI-assisted, which may have contributed to their rapid iteration despite the author’s apparent lack of technical\r\nexpertise\r\nThis case highlights the increasingly blurred line between hacktivism and cybercrime, emphasizing the challenges in\r\ndistinguishing one from the other. Whether such a distinction genuinely exists—or whether the operators are even aware of\r\nor concerned with defining it—remains uncertain. More importantly, It also calls into question the reliability of current\r\nmethods for assessing the risk posed by ransomware groups, especially when those assessments rely on the public claims of\r\nthe actors themselves.\r\nBackground – FunkSec Activity\r\nhttps://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/\r\nPage 1 of 8\n\nFunkSec is an emerging ransomware group that launched its data leak site (DLS) in December 2024 to centralize their\nransomware activities. The group uses double extortion tactics, combining data theft with encryption to pressure victims into\npaying ransoms. Their DLS features breach announcements, a custom-developed DDoS tool, and, more recently, a custom\nransomware offered as a Ransomware-as-a-Service (RaaS).\nFigure 1 - FunkSec data leak site.\nFigure 1 – FunkSec data leak site.\nFunkSec gained public attention due to their aggressive tactics and the number of their targets, with more than 85 claimed\nvictims in little over a month of activity. Notably, FunkSec demanded unusually low ransoms, sometimes as little as\n$10,000, and sell stolen data to third parties at reduced prices. The group’s activities are widely discussed in cybercrime\nforums, further contributing to their growing notoriety.\nFigure 2 –\n\nDecember 15 from an Algerian source. This prototype version of the ransomware is a simplified implementation and\r\nincludes these functions:\r\nEncrypt all files on the user’s system (in the  C:\\  directory) using a combination of RSA and AES encryption. The\r\noriginal files are deleted after encryption, and encrypted versions with a new extension ( .funksec ) are created.\r\nCreate a ransom note ( readme.me ) informing the user that their files have been encrypted and providing\r\ninstructions for paying a ransom to obtain a decryption key.\r\nModify the system environment (e.g., changing the desktop background to black).\r\nCheck for administrative/root privileges before executing.\r\nOther free tools\r\nIn addition to the ransomware, the FunkSec group offers additional tools, most of them commonly associated with hacktivist\r\nactivity.\r\nFigure 5 - Additional offerings by FunkSec.\r\nFigure 5 – Additional offerings by FunkSec.\r\nFDDOS, a Python “Scorpion DDoS Tool”, is a network stress-testing tool designed to perform Distributed Denial-of-Service (DDoS) attacks using either HTTP or UDP flood methods.\r\nJQRAXY_HVNC an HVNC Server and client C++ program is designed for remote desktop management,\r\nautomation, and data interaction.\r\nfunkgenerate is a smart password generation and scraping tool designed to scrape emails and potential passwords\r\nfrom given URLs and generate new password suggestions.\r\nAssociated Threat Actors\r\nIn late 2024, FunkSec emerged without warning and quickly dominated ransomware victim feeds and monitors, seemingly\r\nunder the guise of hacktivism. By targeting India and the U.S., and aligning with the “Free Palestine” movement, the group\r\nleveraged multiple personas and aliases to craft its image and gain visibility.\r\nFigure 6 – FunkSec claims about US targets.\r\nScorpion\r\nScorpion is the most prominent member of FunkSec and is associated with major portions of the group public profiles. This\r\nactor uses multiple aliases, most prominently DesertStorm.\r\nThe actor first surfaced on the Breached Forum, introducing the FunkSec name through a YouTube video posted via the\r\nchannel “Scorpion” (@scorpioncybersec) in October 2024. The video alleged that FunkSec leaked a call between then-U.S.\r\npresidential candidate Donald Trump and Israeli Prime Minister Benjamin Netanyahu. However, the recording was clearly\r\nAI-generated.\r\nFigure 7 - Announcement of the allegedly leaked call between Donald Trump and Benjamin Netanyahu.\r\nFigure 7 – Announcement of the allegedly leaked call between Donald Trump and Benjamin Netanyahu.\r\nDesertStorm’s YouTube profile listed their location as Russia, though the video’s shared URL suggested it was uploaded\r\nfrom Brazil. DesertStorm continued posting leaks on Breached Forum—most unverified or not credited to FunkSec—until\r\nthe account was banned in November 2024.\r\nhttps://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/\r\nPage 3 of 8\n\nIn one of DesertStorm’s posts, they inadvertently shared compromising screenshots that revealed their location to be Algeria,\r\nwith French-language keyboard settings. A suspected associate, XTN, publicly alerted DesertStorm to this operational\r\nsecurity (OpSec) lapse, but DesertStorm did not remove the compromising information.\r\nFigure 8 - Screenshot tying DesertStorm to Algeria.\r\nFigure 8 – Screenshot tying DesertStorm to Algeria.\r\nBefore DesertStorm’s ban, the actor began tagging two other users, El_Farado and Blako, in forum posts related to\r\nFunkSec leaks and activities. While Blako remained inactive on the forums, El Farado gradually assumed a prominent role,\r\npromoting FunkSec on forums, sharing leaks, and adding the group’s .onion site to their signature.\r\nFigure 9 -Connection between DesertStorm and El_farado\r\nFigure 9 -Connection between DesertStorm and El_farado\r\nThe actor is also linked to a Keybase account under the name “Scorpionlord,” where they are listed as the admin of\r\nFunkSec. This account is tied to the FunkSec shame site and DesertStorm’s user on Breached Forum. Scorpionlord is also\r\nthe username on two other cybercrime forums where the FunkSec’s website was promoted (these users were since removed).\r\nNotably, El Farado’s Keybase profile was registered on the same day as Scorpionlord’s, suggesting a coordinated effort. A\r\nthird Keybase profile, Blako, was registered only a few days later, further supporting the idea that these personas were all\r\nclosely linked.\r\nFigure 10 - Scorpion Keybase profile.\r\nFigure 10 – Scorpion Keybase profile.\r\nEl_farado\r\nEl Farado emerged as a key figure in FunkSec’s operations after DesertStorm’s ban from Breached Forum in November\r\n2024. El Farado took on the task of promoting FunkSec, ensuring its visibility on the forum and sharing alleged leaks.\r\nKey connections to FunkSec include:\r\nTagged by DesertStorm: DesertStorm’s posts frequently tagged El Farado, linking them directly to FunkSec.\r\nKeybase Profile Registration: El Farado’s Keybase account was registered on the same day as Scorpionlord’s,\r\nimplying a strong connection between the two personas.\r\nPromotional Activity: El Farado actively promoted FunkSec’s .onion site on Breached Forum and shared leaks\r\n(often unreliable or recycled).\r\nRookie Behavior: El Farado occasionally posted threads asking basic hacking questions like “What do hackers do\r\nwith leaked data?” This behavior suggests inexperience, corroborating some Scorpion’s admission of the group’s lack\r\nof technical know-how.\r\nFigure 11 - el_farado asking for hacking assistance.\r\nFigure 11 – el_farado asking for hacking assistance.\r\nXTN\r\nXTN is associated with FunkSec’s “data sorting” service advertised on their website, while this service’s purpose is not fully\r\nclear. Their Keybase account, “xtnn,” connects to their Breached Forum profile, where they describe their location as “El\r\nFarado’s room” and reference El Farado in their signature. XTN further solidified their link to FunkSec by publicly warning\r\nDesertStorm about their OpSec lapse.\r\nhttps://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/\r\nPage 4 of 8\n\nBjorka\r\nBjorka, a known Indonesian hacktivist, has a murkier connection to FunkSec. While leaks attributed to FunkSec were\r\nreposted by a user named Bjorka on DarkForums, no direct collaboration was verified. Additionally, a Telegram channel\r\nnamed “Bjorkanism” claimed credit for some FunkSec operations, referring to them as “Bjorkanism Ransomware\r\n(FunkSec).” These claims are not supported by Bjorka’s official platforms, suggesting attempts at impersonating Bjorka or\r\nat most, a loose affiliation.\r\nFigure 12 - Bjorkanism referenced as FunkSec ransomware.\r\nFigure 12 – Bjorkanism referenced as FunkSec ransomware.\r\nFunkSec attempted to associate itself with several defunct hacktivist groups:\r\nGhost Algéria: Referenced in a ransomware note nearly identical to FunkSec’s.\r\nCyb3r Fl00d: A defacement screenshot from this group was included in FunkSec-related activity, with FunkSec\r\nclaiming Cyb3r Fl00d was their “old group.”\r\nFigure 13 -Affiliation between FunkSec and Cyb3r Fl00d\r\nFigure 13 -Affiliation between FunkSec and Cyb3r Fl00d\r\nThese associations likely represent attempts to boost FunkSec’s credibility by aligning with well-known names rather than\r\ndirect membership or collaboration.\r\nAI-Assisted capabilities\r\nThe individuals behind FunkSec appear to have extensively leveraged AI to enhance their capabilities, as evidenced by their\r\npublications and tools. Their public script offerings include extensive code comments with perfect English (as opposed to\r\nvery basic English in other mediums), likely generated by an LLM agent. Similar patterns are visible in the Rust source code\r\nlinked to the group’s ransomware, suggesting it may have been developed with AI assistance.\r\nFigure 14 - Detailed comments in Scorpion DDoS script.\r\nFigure 14 – Detailed comments in Scorpion DDoS script.\r\nIn some of their published messages, the group specifically linked the development of their ransomware to AI-assisted\r\nagents, likely providing it with the source code for the ransomware and simply shared the output on their site.\r\nFigure 15 - FunkSec claims of AI interpretation of their Ransomware code.\r\nFigure 15 – FunkSec claims of AI interpretation of their Ransomware code.\r\nThe use of such tools aligns closely with the group’s public claims, as they also released an AI chatbot based on Miniapps to\r\nsupport their operations. Miniapps is a platform that facilitates the creation and use of AI applications and chatbots, often\r\nwithout the restrictions found in more popular systems like ChatGPT. The bot developed by FunkSec is specifically\r\ndesigned to support malicious activities.\r\nFigure 16 - Scorpion miniapps chat.\r\nFigure 16 – Scorpion miniapps chat.\r\nTechnical Analysis\r\nTo better understand the malware, we examined one of the circulated samples. This is a stripped Rust binary, which makes it\r\nchallenging to effectively reverse engineer. In particular, it is subject to aggressive in-lining of library code (see our previous\r\nhttps://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/\r\nPage 5 of 8\n\npublication, Inside Akira Ransomware’s Rust Experiment for a clear demonstration of how this works, and how this\r\ncomplicates reverse engineering tasks), and contains many trait implementations that a disassembler may not recognize out\r\nof the box, many of which are wrappers for e.g.  WriteFileEx  or  CryptGenRandom . However, a careful analysis reveals\r\nsome interesting details.\r\nOverall, we were mainly struck by the amount of redundancy in the binary. Control flow seems to repeat itself and call\r\nfunctions again and again from various execution paths; in a typical ransomware, these would only be called once. For\r\nexample, in this sequence of operations:\r\nFigure 17 - Functions called multiple times in the FunkSec Ransomware.\r\nFigure 17 – Functions called multiple times in the FunkSec Ransomware.\r\nAcross the entire binary many of these functions are called twice, or even three or four times; the ‘disable security’ routine,\r\nseen above, is called twice in the same basic block. The below recursive function, which iterates into all subdirectories of a\r\ngiven directory and encrypts the targeted files in it, is called a total of five times across the binary.\r\nSome of the repetition is due to duplicated code that invokes the ‘encrypt all directories’ logic with different hardcoded\r\nconstants each time, such as this invocation that uses the constant  RansomwarePassword123 :\r\nFigure 18 - \u003ccode\u003eRansomwarePassword123\u003c/code\u003e constant in the code.\r\nFigure 18 –  RansomwarePassword123  constant in the code.\r\nAside from the duplicated functionality, the main execution flow of the malware first calls the operations sequence seen\r\nearlier (“disable security”, and so on) and then transfers execution to an ‘encrypt all drives’ function. The operations\r\nsequence begins by checking whether it has elevated privileges (by trying to execute  net session ). If not, the binary\r\nattempts to relaunch itself with elevated privileges, using the method described here ( start-process -wait -Verb runas -\r\nfilepath '%~nx0' -ArgumentList '\u003carguments\u003e' ).\r\nFigure 19 - Sample output of \u003ccode\u003enet session\u003c/code\u003e without elevated privileges.\r\nFigure 19 – Sample output of  net session  without elevated privileges.\r\nOnce it has elevated privileges, the malware executes the following commands:\r\nCommand Functionality\r\nSet-MpPreference -DisableRealtimeMonitoring\r\n$true\r\nDisable Windows Defender real-time protection.\r\nwevtutil sl Security /e:false Disable Security event logging.\r\nwevtutil sl Application /e:false Disable Application event logging.\r\nSet-ExecutionPolicy Bypass -Scope Process -\r\nForce\r\nDisable restrictions placed by the Powershell\r\nexecution policy.\r\nvssadmin delete shadows /all /quiet predictably, delete shadow copy backups.\r\nThe  terminate_processes  function contains a hardcoded list of processes and services to terminate:\r\nchrome.exe firefox.exe msedge.exe explorer.exe outlook.exe vlc.exe\r\nspotify.exe skype.exe discord.exe steam.exe java.exe python.exe\r\nhttps://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/\r\nPage 6 of 8\n\nnode.exe cmd.exe powershell.exe taskmgr.exe wmplayer.exe tscon.exe\r\nnotepad.exe spooler bits dnsclient lanmanworkstation winmgmt\r\nnetsh iphlpsvc wuauserv RemoteAccess ShellHWDetection SCardSvr\r\nTrkWks wscsvc CryptSvc msiserver MpsSvc defragsvc\r\nupnphost WindowsUpdate srservice wsmprovhost AppIDSvc AudioEndpointBuilder\r\nSchedule eventlog PlugPlay Netman bthserv ShellExperienceHost\r\nSMB WinDefend\r\nNext, the malware moves on to iterating over each letter drive, recursing through its subdirectories and encrypting each file\r\nwith one of the targeted extensions. For file encryption, the symmetric encryption used is the chacha20 implementation\r\navailable in the orion.rs crate. Ephemeral keys are generated using a thin wrapper for  CryptGenRandom  (and the\r\ndescriptively-named  SystemFunction036 ). The newly created filename, with the hardcoded  .funksec  extension, is\r\ncreated using a call to Rust’s  format!  macro.\r\nThe malware then writes to disk the (rather emoji-fied) ransom note.\r\nFigure 20 - FunkSec ransomware note.\r\nFigure 20 – FunkSec ransomware note.\r\nSummary\r\nThis report provides an in-depth analysis of FunkSec, a ransomware group with apparent hacktivist tendencies. The custom\r\nencryptor, developed by an inexperienced Algerian author, features AI-assisted elements which enables rapid development\r\nand improvement. FunkSec’s data leaks often recycle information from previous hacktivist campaigns, casting doubt on the\r\nauthenticity of their claims. Despite these limitations, their Tor-based operations and low ransom demands have drawn\r\nwidespread attention in cybercrime forums.\r\nFunkSec’s operations highlight the role of AI in malware development, the overlap between hacktivism and cybercrime, and\r\nthe challenges in verifying leaked data. It also raises questions about how we assess the threat posed by ransomware groups,\r\nas we often rely on the groups’ own claims. These findings reflect a changing threat landscape, where even low-skill actors\r\ncan make use of accessible tools to cast a very large shadow.\r\nHarmony Endpoint provides comprehensive endpoint protection at the highest security level, crucial to avoid security\r\nbreaches and data compromise and protects against this threat.\r\nIOCs:\r\nc233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c\r\n66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\r\ndcf536edd67a98868759f4e72bcbd1f4404c70048a2a3257e77d8af06cb036ac\r\nb1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb\r\n5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd\r\ne622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22\r\n20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d\r\nhttps://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/\r\nPage 7 of 8\n\ndd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966\r\n7e223a685d5324491bcacf3127869f9f3ec5d5100c5e7cb5af45a227e6ab4603\r\nSource: https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/\r\nhttps://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/" ], "report_names": [ "funksec-alleged-top-ransomware-group-powered-by-ai" ], "threat_actors": [ { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "13623ffb-4701-4f3d-bf32-8826346433ac", "created_at": "2024-12-21T02:00:02.850766Z", "updated_at": "2026-04-10T02:00:03.784245Z", "deleted_at": null, "main_name": "FunkSec", "aliases": [], "source_name": "MISPGALAXY:FunkSec", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434054, "ts_updated_at": 1775826781, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3d21ee038a509724bab0bc79ccf51c7223d87e93.pdf", "text": "https://archive.orkl.eu/3d21ee038a509724bab0bc79ccf51c7223d87e93.txt", "img": "https://archive.orkl.eu/3d21ee038a509724bab0bc79ccf51c7223d87e93.jpg" } }