At least this is what one cybersecurity firm suspects of a new ransomware group emerging in Dec 2024…

A ransomware group that had first emerged late last year has rapidly gained prominence by publishing over 85 claimed victims: more than any other ransomware group in the month of December targeting the USA.

Presenting itself as a new Ransomware-as-a-Service (RaaS) operation, the group calls itself FunkSec and favors double extortion tactics and appears to have no known connections to previously identified ransomware gangs.

While little information is currently available about its origins or operations, one cybersecurity team’s analysis indicates that the high number of published victims may yet mask a more modest reality, both in terms of actual victims as well as the group’s level of expertise.

Most of the ransomware group’s core operations are likely conducted by inexperienced actors, with the support of AI. For example, code comments within their ransomware are written in perfect English, contrasting with the basic English used on the group’s other platforms. Furthermore, FunkSec has released an AI chatbot to support its operations, indicating a reliance on AI technologies to bolster their capabilities.

What makes the group tick?

The group’s activities also include offering tools commonly associated with hacktivist activities, such as services for distributed denial-of-service attacks, remote desktop management, and password generation.

Also, it is difficult to verify the authenticity of the leaked information as the group’s primary goal appears to be to gain visibility and recognition. According to Check Point Research (CPR) analysts, evidence suggests that in some instances, the leaked information had been recycled from previous hacktivist-related leaks, raising questions about its authenticity.

Finally, FunkSec has ties to hacktivist activity, with members operating in Algeria. This highlights the increasingly blurred line between hacktivism and cybercrime, emphasizing the challenges in distinguishing one from the other.

Whether such a distinction genuinely exists, or whether the operators are even concerned with defining it, remains uncertain. More importantly, the reliability of current methods to assess risk posed by ransomware groups (especially when those assessments rely on the public claims of the actors themselves) has to be called into question, said CPR experts.

As for the origins of the group’s chosen moniker, one clue is that some of its members had previously engaged in hacktivist activities. One speculation is the FunkSec is a portmanteau of Funk (denoting an intentional dynamic or unconventional approach within the cybercrime  landscape) and Sec (security).