FunkSec – Alleged Top Ransomware Group Powered by AI
By stcpresearch
Published: 2025-01-10 · Archived: 2026-04-05 23:01:36 UTC
Key Points
The FunkSec ransomware group emerged in late 2024 and published over 85 victims in December, surpassing every
other ransomware group that month.
FunkSec operators appear to use AI-assisted malware development which can enable even inexperienced actors to
quickly produce and refine advanced tools.
The group’s activities straddle the line between hacktivism and cybercrime, complicating efforts to understand their
true motivations.
Many of the group’s leaked datasets are recycled from previous hacktivism campaigns, raising doubts about the
authenticity of their disclosures.
Current methods of assessing ransomware group threats often rely on the actors’ own claims, highlighting the need
for more objective evaluation techniques.
Introduction
The FunkSec ransomware group first emerged publicly in late 2024, and rapidly gained prominence by publishing over 85
claimed victims—more than any other ransomware group in the month of December. Presenting itself as a new
Ransomware-as-a-Service (RaaS) operation, FunkSec appears to have no known connections to previously identified
ransomware gangs, and little information is currently available about its origins or operations.
Our analysis of the group’s activity indicates that the impressive numbers of published victims may mask a more modest
reality both in terms of actual victims as well as the group’s level of expertise. Most of FunkSec’s core operations are likely
conducted by inexperienced actors. In addition, it is difficult to verify the authenticity of the leaked information as the
group’s primary goal appears to be to gain visibility and recognition. Evidence suggests that in some instances, the leaked
information was recycled from previous hacktivist-related leaks, raising questions about its authenticity.
In this report, we explore FunkSec’s ties to hacktivist activity and provide an in-depth analysis of the group’s public
operations and tools, including a custom encryptor likely developed by a relatively inexperienced malware author based in
Algeria. In a surprising discovery, our findings indicate that the development of the group’s tools, including the encryptor,
was likely AI-assisted, which may have contributed to their rapid iteration despite the author’s apparent lack of technical
expertise
This case highlights the increasingly blurred line between hacktivism and cybercrime, emphasizing the challenges in
distinguishing one from the other. Whether such a distinction genuinely exists—or whether the operators are even aware of
or concerned with defining it—remains uncertain. More importantly, It also calls into question the reliability of current
methods for assessing the risk posed by ransomware groups, especially when those assessments rely on the public claims of
the actors themselves.
Background – FunkSec Activity
https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
Page 1 of 8
FunkSec is an emerging ransomware group that launched its data leak site (DLS) in December 2024 to centralize their
ransomware activities. The group uses double extortion tactics, combining data theft with encryption to pressure victims into
paying ransoms. Their DLS features breach announcements, a custom-developed DDoS tool, and, more recently, a custom
ransomware offered as a Ransomware-as-a-Service (RaaS).
Figure 1 - FunkSec data leak site.
Figure 1 – FunkSec data leak site.
FunkSec gained public attention due to their aggressive tactics and the number of their targets, with more than 85 claimed
victims in little over a month of activity. Notably, FunkSec demanded unusually low ransoms, sometimes as little as
$10,000, and sell stolen data to third parties at reduced prices. The group’s activities are widely discussed in cybercrime
forums, further contributing to their growing notoriety.
Figure 2 –
December 15 from an Algerian source. This prototype version of the ransomware is a simplified implementation and
includes these functions:
Encrypt all files on the user’s system (in the C:\ directory) using a combination of RSA and AES encryption. The
original files are deleted after encryption, and encrypted versions with a new extension ( .funksec ) are created.
Create a ransom note ( readme.me ) informing the user that their files have been encrypted and providing
instructions for paying a ransom to obtain a decryption key.
Modify the system environment (e.g., changing the desktop background to black).
Check for administrative/root privileges before executing.
Other free tools
In addition to the ransomware, the FunkSec group offers additional tools, most of them commonly associated with hacktivist
activity.
Figure 5 - Additional offerings by FunkSec.
Figure 5 – Additional offerings by FunkSec.
FDDOS, a Python “Scorpion DDoS Tool”, is a network stress-testing tool designed to perform Distributed Denial-of-Service (DDoS) attacks using either HTTP or UDP flood methods.
JQRAXY_HVNC an HVNC Server and client C++ program is designed for remote desktop management,
automation, and data interaction.
funkgenerate is a smart password generation and scraping tool designed to scrape emails and potential passwords
from given URLs and generate new password suggestions.
Associated Threat Actors
In late 2024, FunkSec emerged without warning and quickly dominated ransomware victim feeds and monitors, seemingly
under the guise of hacktivism. By targeting India and the U.S., and aligning with the “Free Palestine” movement, the group
leveraged multiple personas and aliases to craft its image and gain visibility.
Figure 6 – FunkSec claims about US targets.
Scorpion
Scorpion is the most prominent member of FunkSec and is associated with major portions of the group public profiles. This
actor uses multiple aliases, most prominently DesertStorm.
The actor first surfaced on the Breached Forum, introducing the FunkSec name through a YouTube video posted via the
channel “Scorpion” (@scorpioncybersec) in October 2024. The video alleged that FunkSec leaked a call between then-U.S.
presidential candidate Donald Trump and Israeli Prime Minister Benjamin Netanyahu. However, the recording was clearly
AI-generated.
Figure 7 - Announcement of the allegedly leaked call between Donald Trump and Benjamin Netanyahu.
Figure 7 – Announcement of the allegedly leaked call between Donald Trump and Benjamin Netanyahu.
DesertStorm’s YouTube profile listed their location as Russia, though the video’s shared URL suggested it was uploaded
from Brazil. DesertStorm continued posting leaks on Breached Forum—most unverified or not credited to FunkSec—until
the account was banned in November 2024.
https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
Page 3 of 8
In one of DesertStorm’s posts, they inadvertently shared compromising screenshots that revealed their location to be Algeria,
with French-language keyboard settings. A suspected associate, XTN, publicly alerted DesertStorm to this operational
security (OpSec) lapse, but DesertStorm did not remove the compromising information.
Figure 8 - Screenshot tying DesertStorm to Algeria.
Figure 8 – Screenshot tying DesertStorm to Algeria.
Before DesertStorm’s ban, the actor began tagging two other users, El_Farado and Blako, in forum posts related to
FunkSec leaks and activities. While Blako remained inactive on the forums, El Farado gradually assumed a prominent role,
promoting FunkSec on forums, sharing leaks, and adding the group’s .onion site to their signature.
Figure 9 -Connection between DesertStorm and El_farado
Figure 9 -Connection between DesertStorm and El_farado
The actor is also linked to a Keybase account under the name “Scorpionlord,” where they are listed as the admin of
FunkSec. This account is tied to the FunkSec shame site and DesertStorm’s user on Breached Forum. Scorpionlord is also
the username on two other cybercrime forums where the FunkSec’s website was promoted (these users were since removed).
Notably, El Farado’s Keybase profile was registered on the same day as Scorpionlord’s, suggesting a coordinated effort. A
third Keybase profile, Blako, was registered only a few days later, further supporting the idea that these personas were all
closely linked.
Figure 10 - Scorpion Keybase profile.
Figure 10 – Scorpion Keybase profile.
El_farado
El Farado emerged as a key figure in FunkSec’s operations after DesertStorm’s ban from Breached Forum in November
2024. El Farado took on the task of promoting FunkSec, ensuring its visibility on the forum and sharing alleged leaks.
Key connections to FunkSec include:
Tagged by DesertStorm: DesertStorm’s posts frequently tagged El Farado, linking them directly to FunkSec.
Keybase Profile Registration: El Farado’s Keybase account was registered on the same day as Scorpionlord’s,
implying a strong connection between the two personas.
Promotional Activity: El Farado actively promoted FunkSec’s .onion site on Breached Forum and shared leaks
(often unreliable or recycled).
Rookie Behavior: El Farado occasionally posted threads asking basic hacking questions like “What do hackers do
with leaked data?” This behavior suggests inexperience, corroborating some Scorpion’s admission of the group’s lack
of technical know-how.
Figure 11 - el_farado asking for hacking assistance.
Figure 11 – el_farado asking for hacking assistance.
XTN
XTN is associated with FunkSec’s “data sorting” service advertised on their website, while this service’s purpose is not fully
clear. Their Keybase account, “xtnn,” connects to their Breached Forum profile, where they describe their location as “El
Farado’s room” and reference El Farado in their signature. XTN further solidified their link to FunkSec by publicly warning
DesertStorm about their OpSec lapse.
https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
Page 4 of 8
Bjorka
Bjorka, a known Indonesian hacktivist, has a murkier connection to FunkSec. While leaks attributed to FunkSec were
reposted by a user named Bjorka on DarkForums, no direct collaboration was verified. Additionally, a Telegram channel
named “Bjorkanism” claimed credit for some FunkSec operations, referring to them as “Bjorkanism Ransomware
(FunkSec).” These claims are not supported by Bjorka’s official platforms, suggesting attempts at impersonating Bjorka or
at most, a loose affiliation.
Figure 12 - Bjorkanism referenced as FunkSec ransomware.
Figure 12 – Bjorkanism referenced as FunkSec ransomware.
FunkSec attempted to associate itself with several defunct hacktivist groups:
Ghost Algéria: Referenced in a ransomware note nearly identical to FunkSec’s.
Cyb3r Fl00d: A defacement screenshot from this group was included in FunkSec-related activity, with FunkSec
claiming Cyb3r Fl00d was their “old group.”
Figure 13 -Affiliation between FunkSec and Cyb3r Fl00d
Figure 13 -Affiliation between FunkSec and Cyb3r Fl00d
These associations likely represent attempts to boost FunkSec’s credibility by aligning with well-known names rather than
direct membership or collaboration.
AI-Assisted capabilities
The individuals behind FunkSec appear to have extensively leveraged AI to enhance their capabilities, as evidenced by their
publications and tools. Their public script offerings include extensive code comments with perfect English (as opposed to
very basic English in other mediums), likely generated by an LLM agent. Similar patterns are visible in the Rust source code
linked to the group’s ransomware, suggesting it may have been developed with AI assistance.
Figure 14 - Detailed comments in Scorpion DDoS script.
Figure 14 – Detailed comments in Scorpion DDoS script.
In some of their published messages, the group specifically linked the development of their ransomware to AI-assisted
agents, likely providing it with the source code for the ransomware and simply shared the output on their site.
Figure 15 - FunkSec claims of AI interpretation of their Ransomware code.
Figure 15 – FunkSec claims of AI interpretation of their Ransomware code.
The use of such tools aligns closely with the group’s public claims, as they also released an AI chatbot based on Miniapps to
support their operations. Miniapps is a platform that facilitates the creation and use of AI applications and chatbots, often
without the restrictions found in more popular systems like ChatGPT. The bot developed by FunkSec is specifically
designed to support malicious activities.
Figure 16 - Scorpion miniapps chat.
Figure 16 – Scorpion miniapps chat.
Technical Analysis
To better understand the malware, we examined one of the circulated samples. This is a stripped Rust binary, which makes it
challenging to effectively reverse engineer. In particular, it is subject to aggressive in-lining of library code (see our previous
https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
Page 5 of 8
publication, Inside Akira Ransomware’s Rust Experiment for a clear demonstration of how this works, and how this
complicates reverse engineering tasks), and contains many trait implementations that a disassembler may not recognize out
of the box, many of which are wrappers for e.g. WriteFileEx or CryptGenRandom . However, a careful analysis reveals
some interesting details.
Overall, we were mainly struck by the amount of redundancy in the binary. Control flow seems to repeat itself and call
functions again and again from various execution paths; in a typical ransomware, these would only be called once. For
example, in this sequence of operations:
Figure 17 - Functions called multiple times in the FunkSec Ransomware.
Figure 17 – Functions called multiple times in the FunkSec Ransomware.
Across the entire binary many of these functions are called twice, or even three or four times; the ‘disable security’ routine,
seen above, is called twice in the same basic block. The below recursive function, which iterates into all subdirectories of a
given directory and encrypts the targeted files in it, is called a total of five times across the binary.
Some of the repetition is due to duplicated code that invokes the ‘encrypt all directories’ logic with different hardcoded
constants each time, such as this invocation that uses the constant RansomwarePassword123 :
Figure 18 - RansomwarePassword123 constant in the code.
Figure 18 – RansomwarePassword123 constant in the code.
Aside from the duplicated functionality, the main execution flow of the malware first calls the operations sequence seen
earlier (“disable security”, and so on) and then transfers execution to an ‘encrypt all drives’ function. The operations
sequence begins by checking whether it has elevated privileges (by trying to execute net session ). If not, the binary
attempts to relaunch itself with elevated privileges, using the method described here ( start-process -wait -Verb runas -
filepath '%~nx0' -ArgumentList '' ).
Figure 19 - Sample output of net session without elevated privileges.
Figure 19 – Sample output of net session without elevated privileges.
Once it has elevated privileges, the malware executes the following commands:
Command Functionality
Set-MpPreference -DisableRealtimeMonitoring
$true
Disable Windows Defender real-time protection.
wevtutil sl Security /e:false Disable Security event logging.
wevtutil sl Application /e:false Disable Application event logging.
Set-ExecutionPolicy Bypass -Scope Process -
Force
Disable restrictions placed by the Powershell
execution policy.
vssadmin delete shadows /all /quiet predictably, delete shadow copy backups.
The terminate_processes function contains a hardcoded list of processes and services to terminate:
chrome.exe firefox.exe msedge.exe explorer.exe outlook.exe vlc.exe
spotify.exe skype.exe discord.exe steam.exe java.exe python.exe
https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
Page 6 of 8
node.exe cmd.exe powershell.exe taskmgr.exe wmplayer.exe tscon.exe
notepad.exe spooler bits dnsclient lanmanworkstation winmgmt
netsh iphlpsvc wuauserv RemoteAccess ShellHWDetection SCardSvr
TrkWks wscsvc CryptSvc msiserver MpsSvc defragsvc
upnphost WindowsUpdate srservice wsmprovhost AppIDSvc AudioEndpointBuilder
Schedule eventlog PlugPlay Netman bthserv ShellExperienceHost
SMB WinDefend
Next, the malware moves on to iterating over each letter drive, recursing through its subdirectories and encrypting each file
with one of the targeted extensions. For file encryption, the symmetric encryption used is the chacha20 implementation
available in the orion.rs crate. Ephemeral keys are generated using a thin wrapper for CryptGenRandom (and the
descriptively-named SystemFunction036 ). The newly created filename, with the hardcoded .funksec extension, is
created using a call to Rust’s format! macro.
The malware then writes to disk the (rather emoji-fied) ransom note.
Figure 20 - FunkSec ransomware note.
Figure 20 – FunkSec ransomware note.
Summary
This report provides an in-depth analysis of FunkSec, a ransomware group with apparent hacktivist tendencies. The custom
encryptor, developed by an inexperienced Algerian author, features AI-assisted elements which enables rapid development
and improvement. FunkSec’s data leaks often recycle information from previous hacktivist campaigns, casting doubt on the
authenticity of their claims. Despite these limitations, their Tor-based operations and low ransom demands have drawn
widespread attention in cybercrime forums.
FunkSec’s operations highlight the role of AI in malware development, the overlap between hacktivism and cybercrime, and
the challenges in verifying leaked data. It also raises questions about how we assess the threat posed by ransomware groups,
as we often rely on the groups’ own claims. These findings reflect a changing threat landscape, where even low-skill actors
can make use of accessible tools to cast a very large shadow.
Harmony Endpoint provides comprehensive endpoint protection at the highest security level, crucial to avoid security
breaches and data compromise and protects against this threat.
IOCs:
c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c
66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd
dcf536edd67a98868759f4e72bcbd1f4404c70048a2a3257e77d8af06cb036ac
b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb
5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd
e622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22
20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d
https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
Page 7 of 8
dd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966
7e223a685d5324491bcacf3127869f9f3ec5d5100c5e7cb5af45a227e6ab4603
Source: https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
Page 8 of 8