Kaspersky Warns of AI-Powered Ransomware Group FunkSec

The growing popularity of AI is leading to the development of a rapidly-expanding, high-volume business model with low-cost ransoms targeting critical sectors globally called FunkSec, reports Kaspersky. 

"We increasingly see cybercriminals using AI to develop malicious tools," writes Marc Rivero, Principal Security Researcher, Kaspersky,  in a press release. "Generative AI lowers the barriers and accelerates malware creation, which allows cybercriminals to adapt their tactics more quickly. By lowering the entry threshold, AI allows even less experienced attackers to develop complex malware at scale."

FunkSec has managed to surpass numerous established threat actors in less than one year of operation. Its activity has primarily concentrated on countries in the European Union and Asia, with a specific focus on the governmental, technological, financial, and educational sectors. The uniqueness of its approach is not in the ransom amounts but in the efficiency and scalability of its operations.

Kaspersky analysis details five fundamental characteristics that define FunkSec's technical architecture and operational strategy:

1. Consolidated Technical Architecture and Controlled Functionality. Unlike many ransomware attacks that require loading multiple components or complementary scripts, FunkSec operates through a single binary executable based on the Rust programming language. This approach consolidates large-scale file encryption, aggressive data exfiltration, and self-cleaning routines into a single package. This consolidation offers its affiliates a ready-to-use tool that can be deployed with high efficiency in various environments.

One of its most distinctive technical features is a password-controlled operating mechanism. In its default mode, the malware performs a basic file encryption. However, if the attacker provides a specific password upon execution, it activates a more aggressive operating mode that adds sensitive data exfiltration before encryption, which maximizes pressure on the victim.

2. AI-Assisted Development. Analysis of the source code reveals clear signs of Generative AI use, specifically large language models (LLMs), in the development of FunkSec's tools. This conclusion is based on the observation of generic code comments and placeholders. It is also based on technical inconsistencies, such as the presence of commands designed for different operating systems that do not align coherently.

Additionally, researchers identified declared functions that are never used. This is a common byproduct of automated code synthesis where LLMs combine multiple code fragments without a subsequent debugging process to remove redundant elements.

3. A High-Volume, Low-Cost Monetization Strategy. FunkSec has adopted a business model that diverges from traditional ransomware attacks that seek multimillion-dollar ransoms. The group demands notably low sums, sometimes as little as US$10,000. This strategy is complemented by selling the exfiltrated data to third parties on underground markets at reduced prices. The goal of this high-frequency, low-cost model is to enable a large volume of attacks, which facilitates the rapid consolidation of its reputation and generates a steady revenue stream, optimized, and scaled through the use of AI.

4. Expanded Capabilities Beyond Ransomware. The FunkSec ecosystem is not limited to the ransomware binary. On its dark web leak site (DLS), the group hosts additional tools that it makes available to its affiliates. These include a Python-based password generator, designed to facilitate brute-force and password-spraying attacks, and a basic tool for executing distributed denial-of-service (DDoS) attacks. This arsenal diversification turns each intrusion into a multifaceted risk for the victim organization.

5. Advanced Evasion Techniques. To maximize the effectiveness of its attacks and hinder forensic analysis, FunkSec employs advanced evasion techniques. The malware is capable of stopping more than 50 system processes and services to ensure that target files are not in use and can be encrypted without interruption. It also incorporates a backup mechanism that allows it to execute certain commands with elevated privileges, even if the user who initiates the malware lacks them, guaranteeing the execution of its critical routines. Kaspersky products identify this threat under the signature HEUR:Trojan-Ransom.Win64.Generic.

Recommendations for Corporate Defense

Facing actors like FunkSec, Kaspersky recommends that organizations reevaluate and strengthen their cybersecurity strategies, focusing on the following points:

• Detection and Response: Implement Anti-APT and Endpoint Detection and Response (EDR) solutions for advanced threat detection, investigation, and incident remediation.

• Data Resilience: Establish a system of offline backups that are inaccessible to attackers and ensure their rapid recovery in the event of an incident.

• Vulnerability Management: Keep all software and operating systems updated on all corporate devices to prevent the exploitation of known vulnerabilities.

• Endpoint Protection: Activate specific anti-ransomware protections on all endpoints. Solutions such as the Kaspersky Anti-Ransomware Tool for Business can coexist with other security tools to add a layer of defense.

• Threat Intelligence: Use Threat Intelligence services to stay informed about the latest Tactics, Techniques, and Procedures (TTPs) used by cybercriminals.