FunkSec

FunkSec is a ransomware group/RaaS operation that emerged in late 2024 and was first identified in early 2025. Reporting describes it as a financially motivated but visibility-driven actor that briefly became one of the most prolific ransomware groups worldwide, with 172 claimed victims according to Ransomware.live and over 85 claimed victims in December 2024 alone. It reportedly ceased activity in March 2025, although later reporting also referenced a resurfacing with a new strain called FunkLocker. The group is also described as operating as a closed group rather than a public RaaS platform. FunkSec uses double extortion, combining data exfiltration with file encryption, and is notable for unusually low ransom demands, sometimes as low as $10,000. Its malware has been described as a Rust-based encryptor using ChaCha20; reporting states it disables Windows Defender and event logging, deletes Volume Shadow Copies, checks for administrative privileges, terminates a hardcoded list of processes and services, renames encrypted files with a .funksec extension, and drops a ransom note directing payment of 0.1 BTC via Session. Additional tooling attributed to the group includes FDDOS, JQRAXY_HVNC, and funkgenerate, and reporting also mentions a data auction site called FunkBID and a forum site called FunkForum. A consistent theme across sources is FunkSec's use of AI/LLM-assisted tooling. Multiple reports state that much of its tooling was AI-generated or refined with LLMs, including Rust-based ransomware, AI-created phishing templates, and use of WormGPT. Researchers described the group as one of the few ransomware actors explicitly using LLMs in tooling, and as an example of how AI is lowering the barrier for less technically proficient actors. The group has been described as having limited technical proficiency and poor operational security despite high activity. Reporting notes signs of inexperienced operators, LLM-generated code comments, and OpSec failures. One detailed analysis linked core personas to Algeria, including Scorpion (also called DesertStorm) and El_Farado, and said the group attempted to affiliate with Ghost Algéria and Cyb3r Fl00d. That same reporting said FunkSec's operations blurred hacktivism and financial cybercrime, including occasional alignment with "Free Palestine" messaging, but still assessed the attacks as financially motivated. Victimology in the provided content indicates the majority of targeted entities were in the United States, India, and Brazil, with technology, government, and education among the top sectors. Universities were specifically cited as facing persistent ransomware campaigns from FunkSec alongside Cl0p and INC. Comparitech reported 12 FunkSec claims involving government agencies in the first half of 2025, with only one confirmed. The group was also cited as active against small to mid-sized organizations. The content also links the persona Sentap/Zestix to FunkSec. Multiple researchers reportedly tied Sentap to FunkSec, and separate reporting described Zestix, also known as Sentap, as an initial access broker and data extortionist linked to the group.