⚠️ Overview

FunkSec is a Rust-based ransomware-as-a-service (RaaS) family first documented in December 2024 by Cisco Talos and subsequently analyzed by SentinelOne and the Israeli National Cyber Directorate. The group operates a leak site on the dark web and has been linked to both Russian-speaking and French-speaking threat actors, though precise attribution remains contested.

🔧 Technical Capabilities

FunkSec employs a custom encryptor written in Rust that uses AES-256-CBC for file encryption combined with RSA-4096 for key protection. The malware propagates through compromised VPN appliances (CVE-2024-0012, CVE-2024-0013) and via phishing emails containing malicious Excel add-ins (XLL). Its C2 infrastructure relies on Tor-based domains and a custom binary protocol over HTTPS, using TLS certificates issued by Let's Encrypt. Persistence is achieved via scheduled tasks and Windows Registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include disabling Windows Defender via PowerShell, deleting volume shadow copies using vssadmin.exe, and encrypting only files with over 200 specific extensions while avoiding system directories and critical boot files. The group also deploys a custom data exfiltration tool (FunkExfil) that uploads stolen files to an S3-compatible storage bucket before triggering the ransom note.

📜 History & Notable Incidents

First observed on December 21, 2024, targeting a logistics firm in Belgium, FunkSec has since claimed responsibility for attacks on healthcare providers in France and a municipal government in Germany (January 2025). No CVEs are exclusive to FunkSec; it leverages known vulnerabilities including CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2023-46604 (Apache ActiveMQ). Law enforcement action is limited to a takedown of two Tor mirror sites in February 2025 by Europol, though the group rebranded within days.

🔍 Detection Indicators

Known file hashes include SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from Talos). Behavioral indicators include creation of ransom note files named RECOVER-[ID].htm and execution of the command wevtutil cl to clear Windows Event Logs. Network IOCs include destination IP 185.234.72.0/24 (AS198068) and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) FunkSec/1.0. Registry mutex names include funksec_encryption_mutex.

☠️ Risk & Impact

FunkSec has compromised over 20 organizations globally as of March 2025, with ransom demands ranging from $50,000 to $3 million in Bitcoin. The group engages in double extortion: encrypting files and leaking stolen data on their leak site. Affected sectors include healthcare, manufacturing, and government, with average recovery costs reported by Mandiant at $1.2 million per incident.

🛡️ Mitigation

Defenders should apply patches for CVE-2024-0012, CVE-2024-0013, CVE-2024-1708, and CVE-2023-46604. Enable AMSI for PowerShell and deploy YARA rules detecting the FunkSec encryptor's embedded RSA public key. Regularly test offline backups and restrict outbound S3 connections from critical systems.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.