Experts from Kaspersky Lab have studied the activity of the FunkSec group, which emerged in late 2024. The main features of the group turned out to be: the use of AI-based tools (including in the development of ransomware), a high degree of adaptability, and the large scale of cyberattacks.
According to experts, FunkSec targets organizations in the public sector, as well as IT, finance, and education industries in European and Asian countries.
Typically, FunkSec operators demand unusually small ransoms — sometimes no more than $10,000 USD. Additionally, the attackers sell the data stolen from victims at a relatively low price.
Experts believe that such an approach allows for a large number of cyberattacks and quickly builds a reputation within the criminal community. Additionally, the scale of the attacks indicates that the perpetrators are using AI to optimize and scale their operations.
The report highlights that the FunkSec ransomware is distinguished by its complex technical architecture and use of AI. The malware’s developers have included full-scale encryption and data theft capabilities in a single executable file written in Rust. It can terminate more than 50 processes on victim devices and is equipped with self-cleaning functions, making incident analysis more difficult.
It is also noted that FunkSec employs advanced methods to evade detection, which complicates the work of researchers.
The FunkSec ransomware does not come as a standalone package: it is supplemented with a password generator (used for brute force attacks and password spraying), as well as a tool for DDoS attacks.
In all cases, researchers discovered clear signs of code generation using large language models (LLMs). Many code fragments were evidently written not manually, but automatically. This is confirmed by placeholder comments (e.g., “placeholder for actual validation”), as well as technical inconsistencies. For instance, it was observed that a single program contained commands for different operating systems. Additionally, the presence of declared but unused functions reflects how LLMs combine several code fragments without trimming excess elements.
“We are increasingly seeing that attackers are using generative AI to create malicious tools. It speeds up the development process, allowing attackers to adapt their tactics more quickly, and also lowers the entry barrier into the industry. However, such generated code often contains errors, so attackers cannot fully rely on new technologies during development,” comments Tatyana Shishkova, a leading expert at Kaspersky GReAT.
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →