New amateurish ransomware group FunkSec using AI to develop malware

Researchers have uncovered a new ransomware group that has claimed over 80 victims in just one month — more than any other threat actor in December.

The group, known as FunkSec, emerged late last year and likely consists of inexperienced hackers seeking visibility and recognition, according to a new report by the cybersecurity firm Check Point.

“Many of the group’s leaked datasets are recycled from previous hacktivism campaigns, raising doubts about the authenticity of their disclosures,” the researchers said.

FunkSec demands unusually low ransoms, sometimes as little as $10,000, from its victims — who are mostly based in the U.S., India, Italy, Brazil, Israel, Spain, and Mongolia — and sells stolen data to third parties at reduced prices.

The victims listed on its website include a travel booking company, an energy management service, and a company that sells household appliances. None of them have publicly confirmed the alleged attacks.

The latest version of the group’s ransomware, named FunkSec V1, was uploaded from Algeria likely by its creator. The malware contains elements that appear to have been created with the help of artificial intelligence. 

Researchers noted the developer likely used AI to quickly develop and improve the tool and supplement their “apparent lack of technical expertise.”

For example, AI was likely used to write code comments in perfect English, contrasting with the very basic English used on the group’s other platforms. FunkSec also released an AI chatbot to support its operations.

FunkSec’s true motivations are unclear, as its activities align with both hacktivism and cybercrime, according to the report.

In addition to ransomware, the group offers tools commonly associated with hacktivist activities, including services for distributed denial-of-service (DDoS) attacks, remote desktop management, and password generation.

Some of the group’s members previously engaged in hacktivist activities. They also claim to target India and the U.S., aligning themselves with the "Free Palestine" movement and attempting to associate with now-defunct hacktivist entities like Ghost Algeria and Cyb3r Fl00d.

“These associations likely represent attempts to boost FunkSec’s credibility by aligning with well-known names rather than indicating direct membership or collaboration,” the researchers said.