FunkSec Ransomware Victims Can Now Recover Files with Free Decryptor
Summary:
Gen Digital researcher Ladislav Zezula recently released a decryptor for FunkSec ransomware, allowing victims to recover their files for free. FunkSec initiated operations towards the end of 2024 and to date has claimed 172 victims worldwide, with technology, government, and education being the top three sectors targeted. Although FunkSec has claimed dozens of victims in a short period of time, it has not added victims to its data leak site since mid March of this year, indicating that the group is no longer active. While its unclear as to whether FunkSec will resume its activities, the release of a decryptor will make it challenging for the group to reemerge and continue operations as normal.
Security Officer Comments:
FunkSec encryptor’s is a rust based payload that uses the Chacha20 and Poly1305 algorithms to lock files of interest, which are further appended with the .funksec extension. According to Zezula, FunkSec used AI to assist in the development of its encryptor. “Notably, the authors used AI to create tools and phishing templates, though they emphasize that AI contributes to only about 20% of their operations,” stated Zezula in his blog post. Ever since the release of AI tools like ChatGPT, Gemini, and Microsoft Copilot, actors have increasingly adopted these technologies to assist in their variation operations, whether that entails generating tailored phishing emails or writing code for malicious payloads. Although a decryptor has been released for FunkSec’s encryptor, a updated strain could be developed in a similar fashion.
Suggested Corrections:
Victims that have been impacted by FunkSec can access the decryptor through the No More Ransom portal linked down below:
https://www.nomoreransom.org/en/decryption-tools.html#FunkSec
Note: Administrators should back up affected files before attempting decryption in case of partial recovery or file corruption.
Link(s):
https://www.infosecurity-magazine.com/news/funksec-ransomware-decryptor/
Gen Digital researcher Ladislav Zezula recently released a decryptor for FunkSec ransomware, allowing victims to recover their files for free. FunkSec initiated operations towards the end of 2024 and to date has claimed 172 victims worldwide, with technology, government, and education being the top three sectors targeted. Although FunkSec has claimed dozens of victims in a short period of time, it has not added victims to its data leak site since mid March of this year, indicating that the group is no longer active. While its unclear as to whether FunkSec will resume its activities, the release of a decryptor will make it challenging for the group to reemerge and continue operations as normal.
Security Officer Comments:
FunkSec encryptor’s is a rust based payload that uses the Chacha20 and Poly1305 algorithms to lock files of interest, which are further appended with the .funksec extension. According to Zezula, FunkSec used AI to assist in the development of its encryptor. “Notably, the authors used AI to create tools and phishing templates, though they emphasize that AI contributes to only about 20% of their operations,” stated Zezula in his blog post. Ever since the release of AI tools like ChatGPT, Gemini, and Microsoft Copilot, actors have increasingly adopted these technologies to assist in their variation operations, whether that entails generating tailored phishing emails or writing code for malicious payloads. Although a decryptor has been released for FunkSec’s encryptor, a updated strain could be developed in a similar fashion.
Suggested Corrections:
Victims that have been impacted by FunkSec can access the decryptor through the No More Ransom portal linked down below:
https://www.nomoreransom.org/en/decryption-tools.html#FunkSec
Note: Administrators should back up affected files before attempting decryption in case of partial recovery or file corruption.
Link(s):
https://www.infosecurity-magazine.com/news/funksec-ransomware-decryptor/