Avast researchers, in collaboration with international law enforcement, have published a free decryptor for victims of the now-defunct FunkSec ransomware.
The public release comes after thorough victim assistance efforts and the effective dismantling of the ransomware operation.
This intervention offers a lifeline to the estimated 113 known victims who were targeted between December 2024 and March 2025, as identified through leak site records and sample submissions.
With the ransomware’s infrastructure considered neutralized, the decryptor is now freely available, enabling users to restore encrypted files without succumbing to extortion.
Anatomy of FunkSec Operations
FunkSec’s operational timeline shows classic trends in modern cyber extortion with a slight twist: the first victims appeared on the ransomware group’s leak site on December 4, 2024, more than a week before the initial sample surfaced on VirusTotal.
This suggests FunkSec may have initially relied on data theft and blackmail before introducing data encryption capabilities.
On December 31, the first working ransomware payload was uploaded, and by mid-March 2025, the last known infection had occurred.
A distinguishing technical aspect is FunkSec’s partial reliance on AI: the group reportedly leveraged artificial intelligence for drafting phishing lures and developing attack tools, although human operators still handled about 80% of their infrastructure and campaigns.
While dubbed ‘AI-powered,’ the ransomware code itself, written in Rust, does not exhibit advanced AI-driven autonomous infection or evasion. Instead, AI augmented traditional tactics, facilitating criminal scale and operational agility.
Decryption Details
Technical analysis indicates FunkSec ransomware relies on the orion-rs cryptographic library (version 0.17.7), implementing file encryption with the Chacha20 algorithm alongside Poly1305 for message authentication.
According to the report, files are processed in 128-byte blocks, each appended with 48 bytes of additional metadata, resulting in significantly increased file size around 37% larger.
Notably, the malware targets all local drives, encrypting files except for several common document, archive, and system formats (including .docx, .xlsx, .pdf, .zip, and .exe). Before file locking, FunkSec forcibly terminates numerous application processes and critical system services to maximize file access and disrupt forensic response.
Distinctive artifacts include affected files renamed with the “.funksec” extension and personalized ransom notes (“README-{random}.md”) dropped into each encrypted folder.
Several samples also attempted to download images from Imgur to serve as desktop wallpaper, though these dependencies often rendered the malware ineffective.
Victims with encrypted data should promptly download the appropriate 64-bit or 32-bit decryptor binary matching their system architecture directly from Avast’s official resources.
The tool launches as a user-friendly wizard, prompting users to select drives or folders for decryption and offering an optional backup step to safeguard original encrypted files.
Administrator privileges are advised to ensure thorough remediation. Once executed, the decryptor restores access to compromised data, allowing organizations to recover without payment.
Indicators of Compromise (IOCs)
| IOC Type | Value |
|---|---|
| Ransomware Sample | c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c |
| Initial Source Code | 7e223a685d5324491bcacf3127869f9f3ec5d5100c5e7cb5af45a227e6ab4603 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
.webp?w=1200&resize=1200,0&ssl=1 "Email Security Services")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Microsoft Teams Introduces 60-Second Silent Test Call for IT Admins")
