Check Point researchers have identified a ransomware operation called FunkSec that represents a notable trend in cybercrime: the use of artificial intelligence to accelerate malware development by operators with limited technical expertise. The group targeted over 80 organizations in December 2023 alone, blending hacktivist messaging with financially motivated criminal operations.
AI-Assisted Malware Development
FunkSec’s primary tool is a Rust-based ransomware encryptor that shows clear signs of AI assistance in its code. Technical analysis by Check Point suggests the malware was authored by an inexperienced developer, likely based in Algeria, who used AI code generation tools to compensate for gaps in technical knowledge. FunkSec also operates an AI chatbot via the Miniapps platform to manage victim communications and streamline ransom negotiations.
Attack Methodology and Technical Capabilities
FunkSec operates under the ransomware-as-a-service (RaaS) model and employs double extortion: encrypting victim data while simultaneously threatening to publish stolen files. Their malware performs the following actions on infected systems:
- Disables Windows Defender and endpoint protection mechanisms
- Blocks Windows security event logging
- Deletes Volume Shadow Copy (VSS) backups to prevent local recovery
- Terminates approximately 50 critical system processes
- Encrypts files and appends the .funksec extension
MITRE ATT&CK maps VSS deletion to technique T1490 (Inhibit System Recovery) and Defender disabling to T1562.001.
Economic Model and Ransom Pricing
FunkSec demands relatively modest ransoms of approximately $10,000, substantially lower than established groups like LockBit or ALPHV. Stolen data is sold separately to other cybercriminals at $1,000–$5,000 per dataset. This pricing model indicates an early-stage operation focused on building reputation and market share rather than maximizing per-victim returns.
Hacktivist Connections and Political Framing
Intelligence analysis links FunkSec to the Free Palestine cyber campaign, with documented attacks against targets in India and the United States. The group claims associations with former hacktivist collectives Ghost Algéria and Cyb3r Fl00d, though forensic analysis suggests these connections may be fabricated — much of their leaked data appears recycled from previous hacktivist operations rather than freshly exfiltrated.
Who Is at Risk
Organizations in government, healthcare, and financial services are primary targets. The RaaS model means FunkSec affiliates can attack any sector. Companies without tested offline backups and those running unpatched endpoints with Defender as the sole protection layer face the highest exposure.
Recommended Defensive Actions
- Maintain tested, offline or air-gapped backups that ransomware cannot reach via network shares
- Deploy endpoint detection and response (EDR) that does not rely solely on Defender signatures, to catch Defender-disabling behavior
- Enable Windows Event Log forwarding to a SIEM so VSS deletion and mass process termination trigger alerts
- Apply the principle of least privilege — restrict who can disable security software or modify shadow copies
- Monitor for CISA ransomware advisories and apply patches on the advertised timeline