FunkLocker: Emerging AI-Assisted Ransomware

Summary

First identified in December 2024, FunkLocker ransomware is an AI-assisted threat developed by the FunkSec Group, operating under a Ransomware-as-a-Service (RaaS) model. Targeting Windows systems, the group has struck across multiple industries including government, defense, finance, and higher education, with victims reported in the United States, India, Spain, Mongolia, Italy, Brazil, and Israel.

FunkLocker encrypts files locally using RSA-2048 and AES-256 encryption, appending the “.funksec” extension to compromised data. Unlike many ransomware families, FunkLocker operates without command-and-control communication, relying solely on local encryption and demanding low ransoms (around 0.1 Bitcoin) to encourage fast payments. The FunkSec Group’s blend of cybercrime and hacktivism underscores the shift toward AI-enabled ransomware that prioritizes speed, stealth, and scalability.

Attack Details

FunkSec Group designed FunkLocker to execute attacks directly on victim machines without network dependencies. Once deployed, the ransomware terminates critical processes, disables antivirus and security tools, and prevents system recovery by misusing legitimate Windows utilities such as taskkill.exe, sc.exe, and PowerShell. This allows the ransomware’s activities to blend seamlessly with normal system operations.

After neutralizing defenses, FunkLocker encrypts all accessible files, appending the “.funksec” extension. Its offline encryption model makes detection through traditional network-based monitoring tools nearly impossible.

Researchers have determined that FunkLocker’s codebase is partially generated using artificial intelligence, enabling rapid creation of new variants but also introducing weaknesses such as hardcoded encryption keys and reused cryptocurrency wallets. These flaws have allowed some free decryption tools to emerge, though many organizations remain vulnerable.

To date, over 120 organizations have been impacted. The campaign shows an opportunistic pattern—targeting both public and private sectors—demonstrating how AI-driven malware automation is accelerating the pace and unpredictability of ransomware operations.

Recommendations

• Preventive Security Controls: Deploy application whitelisting to block unauthorized executables, especially Windows utilities abused by FunkLocker (PowerShell, taskkill.exe, sc.exe). Keep endpoints patched and secured with advanced EDR and NGAV solutions.

• Network Segmentation & Access Control: Restrict administrative privileges and enforce least-privilege policies to prevent lateral movement.

• Strong Access Management: Limit access to critical systems and sensitive files. Ensure privileged accounts are protected by MFA.

• Regular Data Backups: Conduct frequent, offline backups of essential systems. Test restoration processes regularly to ensure operational resilience in the event of ransomware infection.

• Proactive Monitoring: Hunt for indicators such as system service termination, PowerShell misuse, or attempts to disable security softwares.

Indicators of Compromise (IoCs)

SHA256 Hashes

• c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c

• e29d95bfb815be80075f0f8bef4fa690abcc461e31a7b3b73106bfcd5cd79033

File Path

• C:\Users\admin\Desktop\README-ZasRvdSR44.md

Recent Breaches

• https://semaphore.asso.fr

• https://sanirent.com.mx

• https://unimore.it

• https://extremeperformance.com

• https://isee-eg.com

• https://the-lastcompany.com

• https://klabs.it

• https://univ-rennes.fr

• https://sorbonne-universite.fr

• https://cimenyan.desa.id

MITRE ATT&CK TTPs

• TA0001 Initial Access

• TA0002 Execution – T1059, T1059.001 (PowerShell)

• TA0003 Persistence

• TA0005 Defense Evasion – T1036, T1036.005 (Masquerading), T1562, T1562.001 (Disable or Modify Tools)

• TA0007 Discovery – T1007 (System Service Discovery), T1135 (Network Share Discovery)

• TA0040 Impact – T1486 (Data Encrypted for Impact), T1489 (Service Stop), T1490 (Inhibit System Recovery), T1498 (Network Denial of Service)

• TA0042 Resource Development – T1587 (Develop Capabilities), T1588.007 (Artificial Intelligence)

References

• Hive Pro – Fast Tracking FunkSec Ransomware with the Twist of AI-Driven Havoc

• SentinelOne – FunkLocker Anthology

• Any.Run – FunkLocker Malware Analysis