This new emergent ransomware group has analysts deeply concerned. It appeared in late 2024 and, by the end of the year, had racked up 85 victims.
The coding in its FunkLocker ransomware is at least partially or significantly coded using AI. Analysts following the group noted a lot of comments on the code.
Here, we’re taking a deeper look at FunkSec and its RaaS protégé FunkLocker.
The Emergence of FunkSec Group and FunkLocker
This new ransomware group appeared publicly in late 2024, gaining traction as a prolific emerging group and was the top ransomware for the month of December, with over 80 victims. FunkSec comes with a few interesting caveats in addition to offering Ransomware-as-a-Service tools, and a good amount of the code for its FunkLocker ransomware is AI-generated.
The group seems to be comprised of low-skilled bad actors who use data from other cybercriminals’ campaigns to build their reputations and generate attention.
FunkSec Information and FunkLocker TTPs
Since the FunkSec group became public, security analysts have reviewed much of the group’s activities and have noted the following:
Motivation:
The group seems to have ties to hactivism or a blend of financial motivation in addition to hactivism motivations.
Tooling:
As part of its RaaS offer, the group is offering DDoS tooling. The group has a few offers that are typically related to hacktivism activities. These include:
- JQRAXY – A fully undetectable HVNC Server and client C++ program used for remote desktop management, data interaction, and automation.
- Funkgenerate – Password lists
- FDDOS – A Python Scorpion DDoS Tool that is made to perform Distributed Denial of Service (DDoS) attacks via UDP or HTTP flood methods as a network stress-testing tool.
Security researchers note that the FunkLocker ransomware source code is written in Rust and is named *ransomware.rs*, although one of the payloads was written in C++. Typically, Rust malware initially has a low detection rate.
Many security researchers noted that the comments on the code were very good. They noted that the FunkSec Group did much of this around the variables in the code itself, indicating it was AI-generated. It’s unusual for malware authors to comment out their own code.
Attribution:
- The VirusTotal uploads are compiled on a machine with an Arabic username, Abdellah. Researchers also found that the group has connections to Ghost Algeria.
- Members seem to speak French, which is typical for that region; experts suggest the group’s members are Algerian.
While many experts say that the group is not sophisticated or even good, this is likely related to the code being AI-generated, that it wasn’t entirely written by them.
In addition it’s been noted that the group uploaded part of its source code to VirusTotal, a sure sign that they are unsophisticated, very green threat actors. From a defense standpoint, knowing this gives us an advantage until the group figures out how to operate its business.
FunkLocker follows the same techniques and tactics as many other threat groups’ malware and ransomware; it begins its operations by checking for elevated privileges via Powershell under the net session and/or net1 session. Threat hunters should be sure to run searches not only on net and net.exe but also on net1 and net1.exe.
It will also run this command in Powershell, “start-process wait -Verb runas -filepath ‘%~nx0’ -ArgumentList ‘<arguments>” and it runs much of its processes through Powershell.
Next, it disables system protections via Powershell using these commands:
net sessionand/ornet1 sessionstart-process wait -Verb runas -filepath ‘%~nx0’ -ArgumentList ‘<arguments>’
Next, it disables system protections via Powershell. These are typical post-exploitation commands and are Living off the Land (LOTL) and how they will sneak past many defenses:
Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falseSet-ExecutionPolicy Bypass -Scope Process -Forcevssadmin delete shadows /all /quiet
They’re also deleting Windows event logs, which creates an event code for deleted logs. The code will include that it used the Living off the Land utilities to delete the security.edtx in addition to the application.edtx and remove it locally from the device. If the logs are being forwarded to a SIEM, it’s possible they’ll be detected.
While these are the commands our team noted, they aren’t the only ones that can carry out the functions the group is targeting, so it’s critical to be aware of the activity going on when threat hunting on these commands.
FunkSec Interesting Features
One of the more interesting features we noted is traffic going to the Imgur infrastructure, making detection rules challenging. You could possibly block traffic to it, but it poses problems for loading some sites since IMG is a popular image hosting site. You could check typical traffic in your network to the specific URLs and block them if it’s negligible.
- i.imgur[.]com
- ipv4.imgur.map.fastly[.]net
We also noted that in some samples, naked IP addresses (hxxp://176.113.115[.]19/ScreenUpdateSync.exe) were dropping executables, but there may be multiple droppers. Still, the format of the IP/URL should be noted. If organizations see exe files in a URL or IP address, this is bad for the resolution. Using the format, you can do things such as regex that will search for anything similar.
The pattern of this is going to be tremendously significant.
Another interesting aspect is the IP checker domain. They used the same one in every sample we looked at, although there are roughly 200 IP Checker sites in total. ip-api[.]com is probably one of the more popular and used by many.
Using this URL for detections will make an excellent in-house rule. The MISP Project includes a list of domains that you can get and use to make detection rules in a SIEM for the 200 IP checkers. If you decide to block them, you will still need a detection rule.
Another thing to be aware of in the samples is the task list. It enumerates the processes to terminate. For example, this one we saw (“tasklist” /fi “imagename eq VMware “) is trying to terminate VMware.
FunkSec Targets
The group claims to focus on US targets, citing its support of Israel. In a recent post, the group said the US’s first-class support of Israel weakens the Middle East. So, the group will target the US government sector and the US economy, along with companies exporting and producing for the government.
FunkSec has attacked mostly US-based targets, but there were also some in France, Italy, Brazil, Spain, Mongolia, and India.
FunkSec FunkLocker Ransomware
The FunkSec group has drawn the attention of the security community mainly due to its use of AI in its malware; but also its quick notoriety and number of attacks in a short span is notable. While currently, the group seems to rely on old data leaks and appears to be very green, the samples indicate future plans. We’re hopeful that law enforcement will take note of the weaknesses in the group’s operation and pick them up quickly.