FunkSec, a ransomware group with hacktivist ties, has brought a new wave of cybercrime activities to light, utilizing AI to enhance their malicious operations, as outlined by a recent analysis from Check Point Research. The group emerged in October 2024 on the Breached forum and quickly made a name for itself by leaking an AI-generated phone call between then-U.S. presidential candidate Donald Trump and Israeli Prime Minister Benjamin Netanyahu.
In December of the same year, FunkSec established a data leak site and began posting a significant number of claimed victims – a total of 85 in that month alone, surpassing other ransomware gangs. However, researchers discovered that many of the leaked data seemed to be recycled from previous hacktivism campaigns, casting doubt on FunkSec’s experience and skills as a ransomware threat actor.
Check Point Research delved deeper into the group’s origins and uncovered connections to hacktivism actors, particularly a now-defunct group called Ghost Algéria. The researchers identified key individuals associated with FunkSec, who displayed a pattern of amateurish behavior, such as revealing their location publicly or asking basic questions about hacking on cybercrime forums.
A technical analysis of FunkSec’s ransomware revealed redundancies in its code, suggesting a lack of sophistication in their malware development. In addition to custom ransomware, the group offers various tools for cybercrime activities, including a DDoS tool, a password generation tool, and a remote desktop management tool.
FunkSec claims to target the United States primarily due to its support for Israel, but the group’s claimed victims span multiple countries including India, Italy, Brazil, Spain, and Mongolia. The group’s ransomware, written in Rust, shows signs of AI assistance in its development, with detailed comments written in perfect English.
FunkSec frequently updates its ransomware offering to evade detection by antivirus services, with the latest version boasting a low detection rate. The ransomware encrypts directories using ChaCha20, disables security features, and demands relatively low ransoms. FunkSec also sells stolen data at reduced prices.
Check Point Research concluded that FunkSec’s operations highlight the evolving threat landscape, where even low-skill actors can leverage accessible tools like AI to carry out cyberattacks. The group’s activities underscore the overlap between hacktivism and cybercrime, raising questions about how ransomware groups are assessed in terms of their capabilities and threats they pose.
Ultimately, FunkSec’s utilization of AI in their cybercrime activities sheds light on the changing nature of cybersecurity threats and the challenges in verifying leaked data. The group’s emergence represents a new era where even less experienced threat actors can leverage advanced technologies to propagate malicious activities on a global scale.