A new criminal group called FunkSec, which appears to be using generative AI to develop its code, has sped to the top of ransomware threat indexes.
‘FunkSec’ only appeared on the ransomware scene in late 2024 but it has already sparked a surge in attacks.
With 103 attacks conducted by the group in December, according to data from cybersecurity firm NCC Group, FunkSec was responsible for more incidents than any other cybercrime group. It conducted 35 more attacks than the well-established Russian-language cybercrime group, Cl0p.
December is typically a quieter month for attacks, according to Ian Usher, associate director of threat intelligence at NCC Group, but last month saw the the highest number of ransomware attacks on record, he says, “turning the pattern on its head”.
Is FunkSec using AI?
According to an analysis from security firm Check Point, FunkSec – which the company estimates as having four members – has a few differentiators from typical ransomware groups.
The group’s technical capabilities appear to be middling, according to Check Point. The way the group’s malware codebase is organised suggests that FunkSec is using generative AI, says Sergey Shykevich, who leads threat intelligence at Check Point. He adds that the ransomware architect also told Check Point researchers they had used Gen AI.
“They told us they’re a developer and not a coder,” Shykevich says. “So the attacker understands how programming works and what they want, but are then using a combination of generative AI and other people to create and define the malware.”
Check Point found that the group’s encryptor – the software that locks away data for ransom – was likely an AI-assisted creation. This might have contributed to FunkSec’s rapid iteration, despite what Check Point describes as the author’s “apparent lack of technical expertise”.
FunkSec’s rise to the top of the ransomware attacker charts may be a branding exercise, Shykevich says. He believes that, while FunkSec’s ransom technology works and many of its victims are real, the group might also be claiming responsibility for attacks that it didn’t conduct in order to boost its numbers and increase visibility on the dark web.
FunkSec: from hacktivism to extortion
FunkSec appears to have its roots in hacktivism, having also developed tools for launching Distributed Denial of Service (DDoS) attacks. Now, notes Check Point, it is blending those hacktivist roots with financial extortion, encouraging attacks against firms located in the US, India and Israel.
Despite the blend of ideology and crime, Shykevich believes the main motivation for FunkSec is financial. The group’s ransom demands are unusually small, sometimes as low as $10,000 (£8,036), indicating a “spray-and-pray” approach, where the group is paid little and often rather than going after the highest-value targets.
While it’s little surprise that ransomware remains a reliable tactic for cybercriminals, the speed at which FunkSec rose to prominence shows that AI can be easily repurposed to launch attacks, even among the apparently inexperienced.
“The rise of new and aggressive actors like Funksec, who have been at the forefront of these attacks, is alarming and suggests a more turbulent threat landscape heading into 2025,” says Usher.
Cybercriminals have long made their capabilities available for anyone who is willing to pay, via so-called ransomware-as-a-service. Perhaps more alarming is that technical skills may not be the barrier to entry for creating the malware itself that they once were.
A new criminal group called FunkSec, which appears to be using generative AI to develop its code, has sped to the top of ransomware threat indexes.
‘FunkSec’ only appeared on the ransomware scene in late 2024 but it has already sparked a surge in attacks.
With 103 attacks conducted by the group in December, according to data from cybersecurity firm NCC Group, FunkSec was responsible for more incidents than any other cybercrime group. It conducted 35 more attacks than the well-established Russian-language cybercrime group, Cl0p.
