Free Decryptor Released for AI-Powered FunkSec Ransomware

Researchers at Avast have unveiled a free decryptor tool for victims of the FunkSec ransomware, marking a significant step in combating this now-defunct malware strain.

Developed in collaboration with law-enforcement agencies, the decryptor enables affected users to recover encrypted files without paying ransoms.

With the ransomware operation deemed inactive, Avast has made the tool publicly available, targeting the 113 documented victims listed on the gang’s leak site.

Overview of the Ransomware Threat

The timeline of FunkSec’s activities reveals a progression from data exfiltration and extortion starting on December 4, 2024, to the upload of initial source code on VirusTotal by December 15, 2024, and the first known ransomware sample appearing on December 31, 2024.

Operations peaked with the latest victim reported on March 15, 2025, after which the group ceased activity.

Notably, FunkSec incorporated artificial intelligence in about 20% of its operations, leveraging AI to generate tools and phishing templates, which underscores the evolving role of machine learning in cyber threats.

However, many ransomware samples were flawed and non-functional, often relying on external images from Imgur such as hxxps://i.imgur.com/HCYQoVR.jpeg and hxxps://i.imgur.com/mlUvWYT.jpeg to set desktop wallpapers post-infection, highlighting amateurish elements in its design.

Technical Analysis

FunkSec ransomware, coded in the Rust programming language, employs the orion-rs cryptographic library version 0.17.7 for its encryption routines, utilizing ChaCha20 stream cipher combined with Poly1305 message authentication code (MAC) to ensure the integrity of encrypted data, including keys, nonces, block lengths, and the ciphertext itself.

Files are processed in 128-byte blocks, with each block appending 48 bytes of metadata, resulting in encrypted files that are approximately 37% larger than their originals.

According to the report, the malware systematically scans local drives by letter, encrypting files while skipping specific extensions like .exe, .dll, .pdf, and others including .mp3, .xlsx, and .zip to avoid disrupting system functionality or its own persistence.

Prior to encryption, it terminates critical processes such as chrome.exe, outlook.exe, and taskmgr.exe, along with services like spooler, bits, and WinDefend, to evade detection and interference.

Infected files receive a “.funksec” extension, and a ransom note named “README-{random}.md” is placed in each affected folder, providing recovery instructions.

Avast’s decryptor, available as a 64-bit executable (with a 32-bit variant for legacy systems), operates via a wizard interface that requires administrative privileges.

Users begin by selecting target locations defaulting to all local drives but customizable to specific directories followed by an option to back up encrypted files before decryption, which is recommended to mitigate risks.

The process then proceeds to restore files, leveraging the decryptor’s understanding of FunkSec’s cryptographic flaws to reverse the ChaCha20-Poly1305 encryption without needing the attackers’ keys.

This release not only empowers victims but also highlights the importance of robust cryptographic analysis in ransomware mitigation, as FunkSec’s reliance on open-source libraries like orion-rs exposed vulnerabilities that enabled the decryptor’s creation.

Indicators of compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!