A new ransomware strain, dubbed FunkLocker, is leveraging artificial intelligence to expedite its development, while relying on the abuse of legitimate Windows utilities to disable security defenses and disrupt systems.
The ransomware, attributed to a group known as FunkSec, highlights a growing trend of threat actors using AI to piece together malware with varying degrees of success.
The development of FunkLocker appears to follow an “Ask AI → Paste snippet” model, resulting in code that is often inconsistent. While some builds of the ransomware are barely functional, others incorporate more advanced features like anti-virtual machine checks.
This AI-assisted approach allows for rapid creation but sacrifices the stability and sophistication seen in malware from more established groups. These ransomware needs to be analyzed in safe Sandbox environments.
Upon execution, FunkLocker aggressively terminates a predefined list of processes and services. It uses standard Windows command-line tools like taskkill.exe to stop applications and sc.exe to halt services.
This brute-force method often generates numerous errors as it attempts to stop non-existent or protected services, but it ultimately succeeds in crippling system defenses and applications.
The list of targeted services includes security tools like Windows Defender and Windows Firewall, as well as essential system components like the Shell Experience Host, which causes the victim’s screen to go black.
Disabling Defenses and Encrypting Files
According to ANY.RUN sandbox analysis the FunkLocker heavily abuses PowerShell to dismantle security measures systematically.
It runs a series of commands to disable real-time monitoring in Windows Defender, clear security and application event logs using wevtutil, and bypass the PowerShell execution policy to allow unrestricted script execution.
To prevent system recovery, the ransomware uses the Volume Shadow Service Administrator tool (vssadmin.exe) to delete all shadow volume copies.
This action removes the victim’s ability to restore their system from local backups, a common technique used by ransomware to increase pressure on the victim.
The encryption process is performed entirely locally, meaning FunkLocker does not communicate with a command-and-control (C2) server to retrieve encryption keys.
Files are encrypted and appended with the .funksec extension. A ransom note is then dropped onto the desktop.
However, because the malware often terminates the Shell Experience Host service, victims may be unable to view the note without rebooting the compromised system.
Despite its disruptive capabilities, FunkLocker exhibits signs of poor operational security. Researchers have observed the reuse of Bitcoin wallet addresses across different victims, and analysis suggests that encryption keys are either hardcoded into the malware or derived locally on the victim’s machine.
These vulnerabilities have allowed security researchers at Avast Labs to develop and release a public decryptor, offering a recovery path for victims.
Since its emergence in late 2024, the FunkSec group has been linked to attacks on more than 120 organizations worldwide. The group maintains a data leak site where it publicizes stolen information.
Targets span various sectors, including government, defense, technology, and finance, with a significant number of victims located in the United States, as well as reported incidents in India, Spain, and Mongolia.
IOCs
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
