Skip to content
Ransomware group

FunkSec

FunkSec is a Rust-based ransomware family and associated extortion group that emerged in late 2024 and was first publicly observed around December 2024 to early 2025.

Profile source: Mallory opens in a new tab

FunkSec

Family profile

FunkSec is a Rust-based ransomware family and associated extortion group that emerged in late 2024 and was first publicly observed around December 2024 to early 2025. Reporting describes it as a closed operation rather than a public RaaS platform, although the group also advertised or provided additional offensive tooling, including homegrown DDoS tools, and has been described as openly using LLMs in parts of its tooling and phishing workflow. Multiple sources characterize the operators as relatively inexperienced and assess that the ransomware or related tooling shows signs of AI-assisted development or refinement.

FunkSec used double extortion tactics and maintained a leak site, with reporting variously stating it disclosed more than 85 victims, over 100 victims, and up to 172 claimed victims before going inactive. It reportedly stopped posting new victims after March 18, 2025, and researchers later considered the operation inactive or "dead." Victims were concentrated in the United States, India, and Brazil, and targeted sectors explicitly mentioned include technology, government, and education; other reporting places FunkSec among groups focusing on small- and mid-sized organizations.

The malware is written in Rust and uses the orion-rs library version 0.17.7 with ChaCha20 and Poly1305 for encryption. Reported implementation details include encryption in 128-byte blocks, addition of 48 bytes of metadata per encrypted block, and resulting encrypted files being about 37% larger than the originals. A hash-based method is used to ensure integrity of encryption parameters. Victims can identify affected files by the .funksec extension and unique metadata padding. One source also attributes intermittent encryption and sophisticated code obfuscation to FunkSec, describing these features as helping bypass traditional security controls.

The group has been repeatedly cited as an example of AI-assisted or AI-generated malware. Check Point and other researchers reported signs that the encryptor was developed with assistance from AI tools, while other commentary states the group used AI-generated phishing templates and that its Rust-based ransomware showed signs of being written or refined with LLM agents. Avast/Gen Digital released a free decryptor for FunkSec through the No More Ransom project, allowing victims to recover files without paying; administrators are advised to back up encrypted files before attempting decryption.

Ransomware.live

Operational record

View group record ↗

MITRE ATT&CK

FunkSec in ATT&CK

1 distinct techniques

Reporting

Research mentioning FunkSec

Feb 13
Cloudatg Insights

AI Development & Software Engineering | CloudATG

...decryptor for a ransomware strain called FunkSec...

Feb 10
Bank Info Security

Fake Out: 0APT Data-Leak Ransomware Group Branded a Scam

"...copied from various other ransomware groups, including mainly from RansomHub, FunkSec and the original Babuk gang..."

Jan 21
Dark Reading

Complex VoidLink Linux Malware Created by AI

“While other AI-generated malware exists, it's typically been linked to inexperienced threat actors, as in the case of FunkSec…”

Jan 20
Checkpoint Research

VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun - Check Point Research

"...solid evidence of AI-generated malware has primarily been linked to inexperienced threat actors, as in the case of FunkSec..."

Dec 31
Cyberthrone

New Ransomware Emerged in 2025 – Threat Intel Report

Groups such as FunkSec, Lyrix, BERT, and GLOBAL GROUP experimented with AI branding, sector targeting, and hybrid hacktivist narratives.

Oct 23
Recorded Future

Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals

Among these groups were RebornVC, Babuk 2.0, Bjorka Spirit (Ransomware), GD LockerSec, FunkSec, Dispossessor, and Rabbit Hole.

Sep 3
Register Security

It looks like you’re ransoming data. Would you like some help?

He pointed to FunkSec ransomware as an example. "Their tools, including Rust-based ransomware, show signs of having been written or refined with LLM agents..."

Aug 22
Flashpoint

New Ransomware-as-a-Service (RaaS) Groups to Watch in 2025

Funksec is one of the few groups openly using LLMs in their tooling. The group uses AI-generated phishing templates, and developed the malicious chatbot dubbed “WormGPT.”

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.