A new ransomware variant, known as FunkLocker, has emerged, utilizing artificial intelligence (AI) to accelerate its development. This malware exploits legitimate Windows utilities to disable security defenses and disrupt system operations. Attributed to a group called FunkSec, FunkLocker exemplifies a growing trend where cybercriminals leverage AI to construct malware with varying degrees of effectiveness.
AI-Driven Development and Inconsistencies
FunkLocker’s development appears to follow an Ask AI → Paste snippet model, resulting in code that is often inconsistent. While some versions of the ransomware are barely functional, others incorporate advanced features like anti-virtual machine checks. This AI-assisted approach allows for rapid creation but sacrifices the stability and sophistication seen in malware from more established groups.
Disabling System Defenses
Upon execution, FunkLocker aggressively terminates a predefined list of processes and services. It uses standard Windows command-line tools like `taskkill.exe` to stop applications and `sc.exe` to halt services. This brute-force method often generates numerous errors as it attempts to stop non-existent or protected services, but it ultimately succeeds in crippling system defenses and applications.
The list of targeted services includes security tools like Windows Defender and Windows Firewall, as well as essential system components like the Shell Experience Host, which causes the victim’s screen to go black.
Systematic Dismantling of Security Measures
FunkLocker heavily abuses PowerShell to systematically dismantle security measures. It runs a series of commands to disable real-time monitoring in Windows Defender, clear security and application event logs using `wevtutil`, and bypass the PowerShell execution policy to allow unrestricted script execution.
To prevent system recovery, the ransomware uses the Volume Shadow Service Administrator tool (`vssadmin.exe`) to delete all shadow volume copies. This action removes the victim’s ability to restore their system from local backups, a common technique used by ransomware to increase pressure on the victim.
Encryption Process and Ransom Note
The encryption process is performed entirely locally, meaning FunkLocker does not communicate with a command-and-control (C2) server to retrieve encryption keys. Files are encrypted and appended with the `.funksec` extension. A ransom note is then dropped onto the desktop. However, because the malware often terminates the Shell Experience Host service, victims may be unable to view the note without rebooting the compromised system.
Operational Security Flaws and Decryptor Availability
Despite its disruptive capabilities, FunkLocker exhibits signs of poor operational security. Researchers have observed the reuse of Bitcoin wallet addresses across different victims, and analysis suggests that encryption keys are either hardcoded into the malware or derived locally on the victim’s machine. These vulnerabilities have allowed security researchers at Avast Labs to develop and release a public decryptor, offering a recovery path for victims.
Global Impact and Targeted Sectors
Since its emergence in late 2024, the FunkSec group has been linked to attacks on more than 120 organizations worldwide. The group maintains a data leak site where it publicizes stolen information. Targets span various sectors, including government, defense, technology, and finance, with a significant number of victims located in the United States, as well as reported incidents in India, Spain, and Mongolia.
Indicators of Compromise (IOCs)
– File Hash (SHA256): c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c
– File Hash (SHA256): e29d…
