Decrypted: FunkSec Ransomware
Researchers at Avast developed a decryptor for the FunkSec ransomware. We have been cooperating with law-enforcement agencies to help victims decrypt files for free. Because the ransomware is now considered dead, we released the decryptor for public download.
Skip directly to the decryptor download
We counted 113 victims of the ransomware in total (based on the ransomware leak site). Because the first victim appeared earlier than the initial source, we assume that the FunkSec gang only did data exfiltration and subsequent extortion from the beginning, and then also added data encryption. Here’s a simple timeline of the ransomware operations:
04-Dec-2024: The first victims appeared on the ransomware gang’s leak site
15-Dec-2024: The initial source file was uploaded to Virus Total
31-Dec-2024: The first known ransomware sample was uploaded to Virus Total
15-Mar-2025: The latest known victim
AI-Powered Ransomware
Sources report that AI was used to assist in writing this ransomware. Notably, the authors used AI to create tools and phishing templates, though they emphasize that AI contributes to only about 20% of their operations.
Overall, samples of the ransomware mostly fail to work. Some of them depend on external image (supposed to become a desktop wallpaper) downloaded from Imgur:
- hxxps[:]//i.imgur.com/HCYQoVR.jpeg
- hxxps[:]//i.imgur.com/mlUvWYT.jpeg
How to Recognize FunkSec Ransomware
Files encrypted with FunkSec ransomware have the “.funksec” extension:
Also, a ransom note file called “README-{random}.md” is dropped to every folder.
FunkSec Ransomware Analysis
Ransomware is written in Rust programming language. For cryptographic operations, it uses orion-rs library, version 0.17.7. Files are encrypted using Chacha20 with the help of Poly1305 MAC. This hash-based method ensures integrity of encryption parameters: the encryption key, n-once, block lengths, and encrypted data itself.
Files are encrypted per-blocks of 128 bytes, adding 48 bytes of extra metadata to each block, which means that encrypted files are about 37% bigger than the originals.
When executed, the ransomware searches all local drives (by drive letter) and encrypts all files, except the ones with these extensions:
.7z .aac .ai .apk .avi .avro .azw3 .bak .bat .bib .bin .bkp .c .cer .chm .cpp .csr .css .csv .cue .dat .db .dbf .deb .djvu .dll .dmg .docx .dwg .dxf .ear .eml .eps .epub .etl .exe .fb2 .fla .flac .flv .git .gpg .hdf5 .html .indd .ini .ipa .iso .jar .java .js .json .jsx .kdbx .key .log .lst .m3u .md .mdb .midi .mkv .mov .mp3 .mp4 .msg .msi .nfs .odp .ods .odt .ogg .opf .parquet .pdb .pdf .pem .pfx .pgp .php .pptx .ps .psd .py .rar .raw .rpm .rtf .sh .sql .sqlite .svg .svn .tar .tar.gz .tex .tgz .tiff .ts .tsx .txt .vcs .vhd .vmdk .war .wav .webm .wma .xlsx .xml .xps .xz .yaml .zip
|
The following processes and services are killed before the ransomware starts the file encryption:
chrome.exe firefox.exe msedge.exe explorer.exe outlook.exe vlc.exe spotify.exe skype.exe discord.exe steam.exe java.exe python.exe node.exe cmd.exe powershell.exe taskmgr.exe wmplayer.exe tscon.exe notepad.exe
|
spooler bits dnsclient lanmanworkstation winmgmt netsh iphlpsvc services RemoteAccess ShellHWDetection SCardSvr TrkWks wscsvc CryptSvc msiserver MpsSvc defragsvc upnphost WindowsUpdate srservice wsmprovhost AppIDSvc AudioEndpointBuilder Schedule eventlog PlugPlay Netman bthserv ShellExperienceHost SMB WinDefend wuauserv
|
How to Use the Ransomware Decryptor
- The first step is to download the decryptor binary. Avast provides a 64-bit decryptor, as the ransomware is also 64-bit and can’t run on 32-bit Windows. If you have no choice but to use 32-bit applications, you may download a 32-bit decryptor here.
- Run the executable file, preferably as administrator. It starts as a wizard, leading you through the decryption process.
- On the initial page, we have a link to the license information. Click the Next button when you are ready to start.
4. On the next page, select the list of locations you want to be searched for and decrypted. By default, it has a list of all local drives, but you can pick a different list, such as a directory with important documents:
5. On the final page, you can opt-in to back up your encrypted files. These backups may help if anything goes wrong during the decryption process. This choice is selected by default, which we recommend. After clicking Decrypt, the decryption process begins. Let the decryptor work and wait until it finishes decrypting all your files.
For questions or comments about the Avast decryptor, email decryptors@avast.com.
IOCs
Ransomware sample
c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c
Initial source code
7e223a685d5324491bcacf3127869f9f3ec5d5100c5e7cb5af45a227e6ab4603
