Free Decryptor Released for AI-Assisted FunkSec Ransomware

Cybersecurity researchers have successfully developed and released a free decryption tool for the FunkSec ransomware, a malicious strain that leveraged artificial intelligence capabilities to enhance its operations.

The ransomware campaign, which targeted 113 victims between December 2024 and March 2025, has been declared defunct, prompting security firm Avast to make their decryptor publicly available.

FunkSec represented a concerning evolution in ransomware development, incorporating AI assistance for approximately 20 percent of its operations, particularly in creating sophisticated phishing templates and attack tools.

The malware first appeared on underground leak sites in early December 2024, initially focusing on data exfiltration before expanding to include file encryption capabilities by the end of the month.

Gen Digital analysts identified the ransomware as particularly notable for its implementation flaws, with many samples failing to execute properly.

The malware attempted to download desktop wallpaper images from external Imgur links, a dependency that often caused operational failures.

Despite these technical shortcomings, the ransomware managed to compromise over a hundred organizations across its four-month active period.

Technical Implementation and Encryption Mechanism

The FunkSec ransomware demonstrates sophisticated cryptographic implementation despite its operational instabilities.

Developed in the Rust programming language, the malware utilizes the orion-rs library version 0.17.7 for its encryption operations, employing the robust Chacha20 cipher combined with Poly1305 Message Authentication Code for data integrity verification.

The encryption process operates on 128-byte blocks, with each encrypted block receiving an additional 48 bytes of metadata, resulting in encrypted files becoming approximately 37 percent larger than their original size.

This block-based approach ensures granular encryption while maintaining the cryptographic integrity through hash-based verification of encryption keys, nonces, and block lengths.

Upon execution, FunkSec systematically terminates numerous processes and services, including browsers, media players, and system utilities, before encrypting files across all local drives.

The malware appends the distinctive “.funksec” extension to encrypted files and drops ransom notes named “README-{random}.md” in each affected directory, establishing clear indicators of compromise for incident response teams.

The successful development of Avast’s free decryptor marks a significant victory against this AI-enhanced threat, providing affected organizations with a pathway to recover their encrypted data without paying ransom demands.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches