Executive Summary:
- The FunkSec ransomware group emerged in late 2024 and published over 85 victims in December, surpassing every other ransomware group that month
- FunkSec operators appear to use AI-assisted malware development, which can enable even inexperienced actors to quickly produce and refine advanced tools
- The group’s activities straddle the line between hacktivism and cybercrime, complicating efforts to understand their true motivations
- Many of the group’s leaked datasets are recycled from previous hacktivism campaigns, raising doubts about the authenticity of their disclosures and the actual success of their operations
- Current methods of assessing ransomware group threats often rely on the actors’ own claims, highlighting the need for more objective evaluation techniques
Check Point Research (CPR) has been analyzing this emerging group, which claims to heavily target the United States. Here’s what organizations need to know:
The FunkSec ransomware group first emerged publicly in late 2024, and rapidly gained prominence by publishing over 85 claimed victims—more than any other ransomware group in the month of December. Presenting itself as a new Ransomware-as-a-Service (RaaS) operation, FunkSec favors double extortion tactics, combining data theft with encryption to pressure victims into paying ransoms. FunkSec appears to have no known connections to previously identified ransomware gangs, and little information is currently available about its origins or operations.
CPR’s analysis indicates that the high number of published victims may mask a more modest reality, both in terms of actual victims as well as the group’s level of expertise. Most of FunkSec’s core operations are likely conducted by inexperienced actors, with the support of AI. In addition, it is difficult to verify the authenticity of the leaked information as the group’s primary goal appears to be to gain visibility and recognition. Evidence suggests that in some instances, the leaked information was recycled from previous hacktivist-related leaks, raising questions about its authenticity.
Additionally, FunkSec has ties to hacktivist activity, with members operating in Algeria. This hhighlights the increasingly blurred line between hacktivism and cybercrime, emphasizing the challenges in distinguishing one from the other. Whether such a distinction genuinely exists—or whether the operators are even aware of or concerned with defining it—remains uncertain. More importantly, it also calls into question the reliability of current methods for assessing the risk posed by ransomware groups, especially when those assessments rely on the public claims of the actors themselves.
Closer analysis of FunkSec’s activities and DarkWeb discussions offers some tantalizing hints about the group, namely that their motivations seem to straddle the line between hacktivism and cybercrime. Interestingly, some members linked to FunkSec previously engaged in hacktivist activities, adding a complex layer to their operations and raising questions about their true objectives. This blend of tactics and backgrounds made FunkSec a particularly intriguing case for deeper investigation.
Figure 1 – Distribution of FunkSec claimed victims by country according to DLS
The good news: Check Point Harmony Endpoint are protected from FunkSec’s efforts. Harmony Endpoint provides comprehensive endpoint protection at the highest security level, crucial to avoid security breaches and data compromise and protects against this threat.
For the full CPR report on FunkSec, visit here.