Ransomware Code Generated by FunkSec AI

📟 News

Date: 26/07/2025

Experts from Kaspersky Lab have studied the activity of the FunkSec group, which emerged in late 2024. The main features of the group turned out to be: the use of AI-based tools (including in the development of ransomware), a high degree of adaptability, and the large scale of cyberattacks.

According to experts, FunkSec targets organizations in the public sector, as well as IT, finance, and education industries in European and Asian countries.

Typically, FunkSec operators demand unusually small ransoms — sometimes no more than $10,000 USD. Additionally, the attackers sell the data stolen from victims at a relatively low price.

Experts believe that such an approach allows for a large number of cyberattacks and quickly builds a reputation within the criminal community. Additionally, the scale of the attacks indicates that the perpetrators are using AI to optimize and scale their operations.

The report highlights that the FunkSec ransomware is distinguished by its complex technical architecture and use of AI. The malware’s developers have included full-scale encryption and data theft capabilities in a single executable file written in Rust. It can terminate more than 50 processes on victim devices and is equipped with self-cleaning functions, making incident analysis more difficult.

It is also noted that FunkSec employs advanced methods to evade detection, which complicates the work of researchers.

The FunkSec ransomware does not come as a standalone package: it is supplemented with a password generator (used for brute force attacks and password spraying), as well as a tool for DDoS attacks.

In all cases, researchers discovered clear signs of code generation using large language models (LLMs). Many code fragments were evidently written not manually, but automatically. This is confirmed by placeholder comments (e.g., “placeholder for actual validation”), as well as technical inconsistencies. For instance, it was observed that a single program contained commands for different operating systems. Additionally, the presence of declared but unused functions reflects how LLMs combine several code fragments without trimming excess elements.

“We are increasingly seeing that attackers are using generative AI to create malicious tools. It speeds up the development process, allowing attackers to adapt their tactics more quickly, and also lowers the entry barrier into the industry. However, such generated code often contains errors, so attackers cannot fully rely on new technologies during development,” comments Tatyana Shishkova, a leading expert at Kaspersky GReAT.

Related posts:
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…

Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024

According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…

Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members

The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…

Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…

Full article →
2025.03.16 — Researchers force DeepSeek to write malware

According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…

Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI

The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…

Full article →