ThreatCure Analytical Report: Funksec Ransomware

/ Analysis / By


Overview: Funksec, also known as Funklocker, is a ransomware group that emerged in late 2024. The group has targeted multiple organizations, employing sophisticated techniques to encrypt data, disrupt operations, and extort victims. Once systems are infiltrated, the ransomware encrypts files and appends them with a “.funksec” extension. Victims are presented with a ransom note demanding payment in Bitcoin, along with threats to leak stolen data if demands are unmet.

Technical Analysis:
Attack Mechanism:

  1. File Encryption: The ransomware encrypts files across the system and renames them with a “.funksec” extension, rendering the data inaccessible.
  2. Desktop Alteration: It modifies the desktop background to display an image fetched from a remote server, reinforcing its presence to victims.
  3. Persistence: The malware schedules a task labeled “funksec” to maintain access to the system.
  4. Defensive Evasion: Funksec disables Windows Defender’s real-time protection, clears system event logs, and terminates itself in virtualized environments to evade detection.
  5. Process Termination: It stops various processes, including web browsers, office applications, and media programs, to ensure system control and prevent interference during encryption.

Ransom Note:

  • Named README-[randomcharacters].md, the note informs victims of:
    • Data encryption and network breach.
    • Instructions to pay 0.1 BTC to a specified wallet.
    • Warnings against file modification, involving authorities, or tracing attackers.
    • Steps for setting up a secure session via “getsession.org” and using an ID for decryptor access.
  • The attackers emphasize the unbreakability of their encryption and threaten to leak stolen data.

Targeted Platforms:

  • Windows
  • Linux

Impact Analysis: Funksec’s activities result in the following consequences for victims:

  1. Financial Loss:
    • Organizations incur ransom payments, costs for recovery, and potential fines for data breaches.
  2. Operational Downtime:
    • Systems are rendered inoperable, disrupting business continuity.
  3. Data Theft and Breach:
    • Sensitive information is exfiltrated, increasing exposure to further attacks and legal liabilities.
  4. Data Encryption and Loss of Access:
    • Victims lose access to critical data, impacting workflows and decision-making processes.
  5. Reputational Damage:
    • Breaches erode customer trust and confidence, harming organizational reputation.

Recommendations from ThreatCure:

  1. Strengthen Endpoint Security:
    • Deploy advanced endpoint protection tools capable of detecting and mitigating ransomware activity in real-time.
  2. Implement Regular Backups:
    • Ensure frequent, secure, and offline backups of critical data to enable recovery without paying ransoms.
  3. Enhance Monitoring and Logging:
    • Utilize robust monitoring solutions to detect unusual activity and maintain logs for forensic investigations.
  4. Educate and Train Employees:
    • Conduct regular training sessions to raise awareness of phishing attacks and other ransomware entry points.
  5. Patch Management:
    • Regularly update operating systems and software to address vulnerabilities exploited by attackers.
  6. Incident Response Plan:
    • Develop and test an incident response plan to minimize downtime and damage during a ransomware attack.