A new ransomware group, named Funksec, is the latest example of relatively inexperienced cybercriminals using AI to develop weaponized malware. The group claims that over 85 organizations fell victim to its ransomware attacks in December alone, potentially surpassing every other ransomware group in terms of victim numbers.
According to Check Point Research: “FunkSec operators appear to use AI-assisted malware development which can enable even inexperienced actors to quickly produce and refine advanced tools…Presenting itself as a new Ransomware-as-a-Service (RaaS) operation, FunkSec appears to have no known connections to previously identified ransomware gangs.”
FunkSec’s relatively amateur status among ransomware gangs is evidenced by the fact that the group is reportedly demanding comparatively low ransoms, sometimes as little as $10,000. This contrasts with better-established ransomware groups who were recently reported to be demanding an average ransom of $2.5 million from US law firms.
Hard-to-detect AI-powered ransomware
But the group’s relative inexperience appears to be no barrier to its producing hard-to-detect AI-powered ransomware. FunkSec recently began to offer rapidly evolving ransomware. With each new version, frequently published only days apart, their website is updated to highlight new additional features. In the announcement for the latest version, the operators boasted of its low detection rate, sharing a screenshot that showed it was detected by only three antivirus engines at the time of publication.
FunkSec’s activities have so far also straddled the line between political hacktivism and cybercrime, complicating efforts to understand the gang’s primary motivation. FunkSec first appeared in a YouTube video posted via the channel “Scorpion” (@scorpioncybersec) in October 2024. The video claimed that FunkSec had leaked a call between then-US presidential candidate Donald Trump and Israeli Prime Minister Benjamin Netanyahu. The recording was, however, swiftly identified as an AI-generated deepfake.
“In late 2024, FunkSec emerged without warning and quickly dominated ransomware victim feeds and monitors, seemingly under the guise of hacktivism. By targeting India and the US, and aligning with the “Free Palestine” movement, the group leveraged multiple personas and aliases to craft its image and gain visibility,” says Check Point.
“This case highlights the increasingly blurred line between hacktivism and cybercrime, emphasizing the challenges in distinguishing one from the other,” adds Check Point.
But it now appears that AI is enabling even relatively inexperienced and amateurish cybercriminals to develop state-of-the-art malware. The real significance of the emergence of AI-powered groups such as FunkSec in 2025 is that ransomware-as-a-service (RaaS) just got a lot smarter.
