The End of FunkSec: Free Decryptor Released for Ransomware Victims After AI-Assisted Group Goes Dormant
In late 2024, a new ransomware strain named FunkSec emerged on the cybercrime scene. It quickly drew attention due to its aggressive tactics and unconventional implementation. Within a short span, dozens of organizations across the United States, India, and Brazil fell victim—spanning sectors such as technology, government administration, and education. What set this ransomware apart was its construction in the Rust programming language and its apparent use of artificial intelligence tools during development.
However, the activity of the group claiming responsibility—alleging 172 victims—proved to be short-lived. According to data from FunkSec’s data leak site, the last post referencing a new victim was dated March 18, 2025—over five months ago—indicating that the group has effectively ceased operations.
What makes the conclusion of the FunkSec saga all the more remarkable is its unexpectedly benign ending: victims can now regain access to their encrypted data entirely free of charge. According to Gen Digital researcher Ladislav Jezula, after the group’s disappearance, security experts decided to publicly release a decryption tool that had originally been developed for the company’s internal clients. The utility is now available through the No More Ransom platform, which helps ransomware victims recover their files without succumbing to ransom demands.
Experts at Check Point believe that FunkSec was orchestrated by low-skilled actors who sought notoriety and public attention more than actual financial gain. Supporting this assessment is the group’s penchant for publishing stolen data in a fashion reminiscent of past hacktivist campaigns, as well as technical analysis of the malware itself—revealing the fingerprints of AI-assisted development.
FunkSec was coded in Rust—a language increasingly favored by modern malware authors for its high performance and ability to evade traditional antivirus signatures. For encryption, it employed the orion-rs library (version 0.17.7), utilizing the Chacha20 and Poly1305 algorithms. Each file was segmented into 128-byte blocks, appended with 48 bytes of metadata, resulting in an overall file size increase of approximately 37%. This method ensured robust encryption while maintaining the integrity of essential parameters such as keys, nonces, and block sizes.
Gen Digital has not disclosed the precise method by which the decryption tool was developed. It remains unclear whether a flaw in the cryptographic implementation was uncovered or whether the keys were obtained through alternative means. However, users are advised to confirm that their files were indeed encrypted by FunkSec—hallmarks of infection include the “.funksec” extension and the presence of distinctive metadata blocks.
Before deploying the decryption tool, experts recommend backing up all encrypted files. This precaution is crucial in the event that the decryption process corrupts data or fails to complete properly. While the tool is intended for broad use, it does not guarantee full recovery—particularly in cases where infections involved additional file alterations.
The FunkSec story serves as a vivid illustration that even relatively unskilled attackers can inflict considerable damage when they blend trending technologies with bold rhetoric. Yet it is often this very inexperience—and the craving for infamy—that becomes their Achilles’ heel, leaving digital footprints that eventually lead to the development of countermeasures, and in some cases, even their apprehension.
