FunkSec
FunkSec is a ransomware family and associated closed extortion group first identified in late 2024 and active into early 2025. Reporting describes it as a double-extortion operation rather than a public RaaS platform, with the group claiming 172 victims and later going inactive after no new victims were posted after March 18, 2025. Victims were concentrated in the United States, India, and Brazil, with technology, government, and education among the most targeted sectors; other reporting also characterizes its targeting as focused on small- to mid-sized organizations.
The malware is written in Rust and uses the orion-rs library (version 0.17.7) with ChaCha20 and Poly1305 for file encryption. It encrypts files in 128-byte blocks, adds 48 bytes of metadata to each encrypted block, increases encrypted file size by about 37%, and appends the .funksec extension; unique metadata padding is also cited as an identifier. Reporting also attributes intermittent encryption and code obfuscation techniques to FunkSec, with claims that these features helped bypass traditional security controls.
Multiple sources state there are signs the ransomware encryptor and related tooling were developed or refined with AI/LLM assistance. Researchers and industry reporting describe FunkSec as an example of AI-assisted malware linked to relatively inexperienced operators, citing unusually polished documentation/code, AI-generated phishing templates, and rapid development with minimal technical effort. One source states the group openly used LLMs in tooling and developed a malicious chatbot referred to as “WormGPT,” but attribution of that specific capability is less consistently corroborated across the provided content.
Researchers assessed the operators may have been inexperienced actors seeking visibility and recognition. Separate reporting notes the group reposted or uploaded leaked datasets associated with previous hacktivist campaigns, and FunkSec’s name also appears in reporting about recycled victim claims by other fake or deceptive ransomware brands.
A free decryptor for FunkSec was released by Gen Digital/Avast through the No More Ransom project after researchers concluded the ransomware was effectively dead. Victims are advised in the reporting to identify affected files via the .funksec extension or metadata characteristics and to back up encrypted files before attempting recovery.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Recent activity
16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware strain (emerged late 2024) for which a free public decryptor was released after the group went dormant (per summary).
Ransomware family (late 2024) using double extortion (data theft + encryption) and described as AI-assisted.
Ransomware group/family mentioned as another source from which a scam/impersonator allegedly copied victim listings.
Referenced as an example of prior AI-generated malware linked to inexperienced threat actors; no functional details provided in the content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.