Analysis: AI-powered Ransomware from APT Group

Oct. 2, 2025, 8:15 a.m.

Description

FunkLocker, a ransomware strain developed by the FunkSec APT group, showcases the growing trend of AI-assisted malware creation. The ransomware exhibits inconsistent quality across multiple builds, with some versions incorporating advanced features like anti-VM checks. It aggressively disrupts system processes, abuses legitimate Windows utilities, and encrypts files locally without contacting a command-and-control server. FunkSec's operational security is weak, allowing researchers to develop a public decryptor. The group has compromised over 120 organizations worldwide, targeting sectors such as government, defense, technology, finance, and education. FunkLocker's behavior maps to several MITRE ATT&CK techniques, including process termination, service stoppage, and inhibiting system recovery.

External References

https://any.run/cybersecurity-blog/funklocker-malware-analysis/
https://otx.alienvault.com/pulse/68de2d27cb8854b0aa46a976
Tags
ransomware
powershell
encryption
ai-assisted
2025-10-02
funklocker
process-disruption
system-abuse

Date

  • Created: Oct. 2, 2025, 7:43 a.m.
  • Published: Oct. 2, 2025, 7:43 a.m.
  • Modified: Oct. 2, 2025, 8:15 a.m.

Indicators

  • e29d95bfb815be80075f0f8bef4fa690abcc461e31a7b3b73106bfcd5cd79033
Download all indicators here!

Attack Patterns

  • FunkLocker
  • FunkSec

Additional Informations

  • Technology
  • Defense
  • Education
  • Finance
  • Government
  • Mongolia
  • British Indian Ocean Territory
  • India
  • Spain
  • United States of America