Threat Actor Interview: Spotlighting on Funksec Ransomware Group

Funksec, a double extortion ransomware group, emerged in late 2024 and quickly gained notoriety by breaching databases and selling access to 15 government websites within just a month. Claiming to be entirely self-taught and operating without collaboration from other groups, Funksec is a four-member team driven primarily by financial motives.

The group leverages AI for specific tasks, such as creating tools and phishing templates, though they emphasize that AI contributes to only about 20% of their operations. Notably, they have developed their own proprietary AI tool, WormGPT, a desktop application built entirely in-house.

To enhance their phishing campaigns, Funksec uses premium services like PhishingBox to create customized phishing templates, adding another layer of precision and sophistication to their methods.

After the interview, during some casual chit-chat, it came to light that the owner of Funksec was also behind an underground forum called DarkZone, which had been built in collaboration with GhostSec in the past.

Stay Updated with Our Newsletter

Key Findings:

Origins and Expertise: Funksec is a ransomware group established in December 2024, with development starting as early as October. The group quickly rose to prominence by breaching databases and selling access to 15 government websites within a month. They claim to be self-taught, with no collaborations with other groups.
Advanced Ransomware Capabilities: Funksec’s ransomware is more advanced than most, using four encryption methods—RSA, AES, Orion, Chacha, and disk recycling—making it harder to counter. The ransomware disables protection mechanisms, gains administrator privileges, and spreads across networks.
AI Integration: Funksec leverages AI for specific tasks, including creating tools and phishing templates, though they state AI can only assist with about 20% of their operations. They developed a proprietary AI tool called WormGPT, which is a desktop application built entirely in-house.
Target Selection and Motivations: Funksec focuses on government and corporate targets, with specific emphasis on the USA, India, and Israel. The group’s goals are both financial and ideological, with money being the primary driver and animosity towards Israel and the USA influencing target choices.
Operational Tactics: Their methods include OSINT, exploiting RDP bugs, leveraging zero-day vulnerabilities like SQL injections and RCE, and brute force attacks. They also use custom tools, such as Python-built Meterpreter payloads and webshells, to maintain persistence and control.
Phishing and Payload Delivery: Funksec uses phishing as a primary attack vector, targeting individuals like managers with tailored messages. They also exploit RCE bugs, create anti-detection scripts, and utilize Rust-built malware to bypass advanced endpoint protection systems.
Double Tactics for Pressure: Funksec employs a three-pronged “double tactics” approach to ensure compliance. They first contact the victim directly, and if ignored, publish stolen data or let the news spread it. If that fails, they deface websites to apply further pressure.
Strategic Data Handling: Funksec categorizes stolen data as “Ransom,” “Classified Sell,” or “Controlled,” deciding its fate based on its value. If the ransom isn’t paid, the group sells the data at a low price or leaks it publicly.
Custom Tools and Expertise: The group develops custom tools and exploits, using platforms like Searchsploit, Mimikatz, Cobalt Strike, Burp Suite Pro, and Nmap, alongside personalized software tailored to their specific needs.
Future Plans and RaaS Platform: Funksec is expanding its Ransomware-as-a-Service (RaaS) model with plans to launch a new platform. They aim to stay ahead of researchers by hiding their core ransomware, keeping it out of public and investigative reach, while continuing to breach companies and governments worldwide.

The Interview

Below we have presented the questions and answers with little modifications for better readability.

Question: Welcome to the Osint10x interview, Funksec! As this is our first engagement, can you please tell us about yourself and your work?

Funksec: We are a ransomware group established in December 2024, utilizing advanced techniques to achieve our goals. Initially, we focused on breaching databases, and later, we developed our own advanced ransomware. Within just one month, we also sold access to 15 government websites.

We are committed to continuously improving our ransomware. As of today, we have updated it to version 1.2, incorporating new techniques such as bypassing and disabling security measures before the ransomware executes its functions.

Question: What are your current goals and objectives? Are you aiming to position yourself as a valuable RaaS partner, or are you focused on operating independently?

Funksec: We’re a ransomware group that started in December 2024 and have quickly made a name for ourselves as one of the best. We use zero-day exploits, web shells, and brute force attacks, along with advanced techniques like phishing and RDP attacks. Our ransomware was actually created in October, and we’ve been developing it ever since with the help of a friend from Brazil.

We also exploit AI bugs when needed to get what we want. The group is made up of experienced members, and our main targets are Israel, India, and the USA. Our goals are simple: make money and create noise in the world.

Right now, we’re focused on making our Ransomware-as-a-Service (RaaS) even better, and we’re launching a new platform next month. Our real ransomware is carefully hidden from researchers because they’re always on the hunt to find and stop groups like ours. We’ve also run some of the best phishing campaigns under our name, “Funksec,” and made $100K just this month.

We’ve breached over 200 government and corporate websites. Some of these are already public on our site, and others we’re keeping for surprises. People say we’re using AI to build ransomware and carry out hacks, but that’s impossible—just try asking AI to make ransomware, and you’ll see what I mean.

We’re going to keep hitting companies and governments around the world. This is just the beginning.

Question: Who are the current members of Funksec group?

Funksec: I am Scorpion(a Russian), others are el farado, sentap, MRZ.

Question: Did the FunkSec ransomware group originate from the dissolution or reorganization of other groups? If so, which ones?

Funksec: We don’t build from other groups , we meet our selfs in social media. One of our members was previously an admin in GhostSec, while the rest of our group has no prior affiliations with any other groups.

Question: Are you motivated politically, economically, or is there another ideology driving your actions? What is the main message you want to convey through your activities?

Funksec: The money. The cash is my goal , I am against Israel, and I have put 10 million records of their data up for sale, along with 2 million records from Iran. Additionally, I hold a deep dislike for the USA. The world is easy and we are the hard.

Question: How FuckSec is different from other RaaS groups?

Funksec: We sell data and provide access, along with offering a data sorting service. If someone wants to upload their exfiltrated data on our site, the door is always open.

The ransomware disables protection mechanisms and replicates itself multiple times on the infected device. Once it gains administrator privileges, it spreads across the network by exploiting shared resources or vulnerabilities in connected devices. Unlike most ransomware that uses two encryption methods, ours employs four, making it more advanced and harder to counter. Our encryption methods are RSA, AES, Orion, Chacha, and disk recycling methods to ensure everything is encrypted.

Building the malware executable is the most challenging part because, contrary to what many believe, you can create ransomware with AI. If that were possible, everyone would already have their own ransomware. It requires intelligence and expertise, especially in languages like Rust(language of funksec ransomware), which is easier than C++, but still demands proper learning.

I’m a high-level developer, but my focus is more on hacking. We have a developer in our group who works with us to build the ransomware. We rely on custom tools alongside premium ones like Shodan Premium and Burp Pro. Additionally, we use advanced custom brute force tools to enhance our operations.

Question: Can you share some of your TTPs you have used to attack organizations in the past?

Funksec: We use a combination of OSINT methods and advanced enumeration techniques to gather detailed information about our targets. Our approach includes exploiting RDP bugs and unsecured files, conducting brute force attacks, and leveraging zero-day exploits like high-level SQL injections and RCE vulnerabilities. We deploy custom webshells for persistent access and rely on advanced phishing techniques that focus on strategy rather than pre-made tools. Additionally, we discover and exploit private, undisclosed bugs and utilize reverse engineering methods to analyze systems and uncover new opportunities for attack.

Some targets included companies such as ribernuez.com and seocommarrakech.com. All government breaches were executed using zero-day exploits, while approximately half of the other attacks involved a mix of these techniques.

I use Gophish and PyPhisher templates, but now I’m focusing on brute force attacks to target webmails. If I decide to use templates again, I’ll create custom ones with AI, tailored specifically to the target.

I use the premium features of PhishingBox to create custom phishing templates whenever needed.

I can create a payload to steal your data without encrypting it or extract your Chrome passwords and upload them to a server. We create our own tools and set our goals.

We use a custom Meterpreter developed in Python, payloads to gain full control of the system, and custom webshells—all of these are built entirely by us.

Question: We noticed that you have specifically listed the USA and Indian governments as targets on your site. Why have you chosen to focus on these two in particular?

Funksec: Because the USA, as you know, is “cold war to survive,” and India supports Israel, like pigs.

Question: What is the typical process you use to infiltrate systems?

Funksec: We use RCE and RDP bugs, like issues in remote desktop tools such as AnyDesk or open IPs. Phishing campaigns target managers, focusing on things that attract them and grab their attention.

Question: Do you develop your ransomware in-house, or do you collaborate with other cybercriminal groups?

Funksec: Fore sure, we developed it on our own, with just three of us involved and no collaboration with any other groups.

Question: What common trends you have observed in compromised enterprise infrastructures?

Funksec: They leave traces behind, such as open web portals or unsecured files. Additionally, vulnerabilities in website scripts or CVE bugs can have a significant impact and are often exploited.

Admin portal and script bugs , inexperience workers.

Question: You’ve classified data as “Ransom,” “Classified Sell,” or “Controlled.” How do you decide the categorization of stolen data?

Funksec: We use double tactics: hack, ransom, and sell. If it brings in money, that’s good; if not, the data will be leaked.

Question: How does AI contribute to your operations, and do you plan to integrate it further into your future operations?

Funksec: AI is legal, but it’s not designed for smarter use cases. However, AI has bugs that can be exploited—it’s a powerful tool in the right hands. This is the future, and while they created it for themselves, we exploit it too, not just them.

We’ve developed our own AI, called WormGPT. This WormGPT isn’t the same as the one found in Miniapps; it’s entirely different. We built it ourselves and are careful to keep it hidden. Unlike a web app, our WormGPT is a desktop application.

I definitely need help, and AI can assist with about 20% of the work. It can provide methods, techniques, and support in creating tools. I come up with the ideas, and AI helps implement them. That’s the difference between a developer and a coder. I’m the developer, and AI acts as the coder.

Also, the style of my AI is not like ChatGPT’s methods like it doesn’t have answer limits. If you were to ask ChatGPT, “Can you create a program that works as root, changes the background, and encrypts data?” you already know what its response would be.

Question: How do you decide your government targets?

Funksec: Anything with a .gov domain, I spy on it. There are 20 more government sites that will be made public soon.

Question: If targeting a company like “ABC Corporation” to extract sensitive data without triggering their advanced intrusion detection systems, how would you deliver a custom payload—such as Python-written Meterpreter payloads or a custom web shell—to bypass email filters and endpoint protection? Once the web shell is deployed, what methods would you use to maintain persistence and evade detection? How would you upload stolen credentials and files, like browser passwords and sensitive data, to your server without alerting network monitoring tools? Lastly, how would you craft a ransom note to maximize compliance while avoiding direct self-implication?

Funksec: Let’s say you work at a company, and I manage to break into the admin’s webmail through OSINT and exploiting vulnerabilities. You then receive an email from the admin or your boss saying, “Hello, I’ve downloaded a new app to organize files easily. We’ll be using it from now on, so please test it… ‘file.exe’.”

As a worker, you’d most likely trust the message, open the file, and grant it admin permissions if prompted—because it’s a message from your boss. Once you run the file, you suddenly notice your background changes, your data is encrypted, and your files are uploaded to another server.

This process requires a well-crafted, anti-detection script, which depends on the programming language used. How would you feel after realizing this all happened from a seemingly harmless email?

Question: How would you deliver a malicious payload to bypass advanced endpoint protection systems?

Funksec: This requires either phishing or exploiting RCE bugs. First, conduct an OSINT scan to gather information, then analyze the results and exploit any vulnerabilities you find. Techniques like using malware written in Rust can easily bypass security systems since it’s a newer programming language. Payloads and malware built with Rust are particularly effective for such tasks.

Question: How would you exploit vulnerabilities or misconfigurations to gain initial access without using phishing? How woould you use to escalate privileges after gaining user-level access?

Funksec: Searchsploit, Mimikatz, Cobalt Strike, Burp Suite Pro, Nmap, etc.

This can be done through phishing, such as sending a phishing message to an admin user who has their “username and password” saved on their desktop. Alternatively, custom tools can be used to achieve the same result.

Question: How would you move laterally to high-value systems without triggering monitoring tools?

Funksec: Before launching an attack, it’s important to map the target thoroughly. Tools like BloodHound can be used for this purpose. Additionally, deploying anti-detection payloads and tools is essential. To bypass network WAFs, you can lower connection threads to avoid triggering alerts while maintaining stealth.

Question: What strategies would you use to apply public pressure on a victim delaying payment?

Funksec: I use three double tactics. The first is direct contact with the target. If they don’t respond, I upload the information to our site and let the news spread it, which usually forces them to reach out. Alternatively, I deface their website, as seen with ribernuez.com.

We hack, encrypt, and extract data, then blackmail the admin. If that doesn’t work, we post the ransom on our site, sell the data at a low price, or breach further. These are the steps we follow when targeting companies.

Disclaimer

This interview is provided for informational purposes only and does not express approval, support or agreement with any actions mentioned in the text. The author of the publication is not related to the activities described in the interview and is not responsible for any consequences of using the information provided.

The interview materials are intended to raise public awareness of modern cyber threats and the methods of cybercriminal groups. The publication of this text does not constitute propaganda of illegal activity and does not encourage violation of laws.

Readers are advised to always observe legal regulations and consult with the appropriate authorities if they have questions about the topics covered in this interview.