FunkSec Ransomware Dominating Ransomware Attacks, Compromised 85 Victims In December

FunkSec is a RaaS operator that makes use of artificial intelligence and demonstrates how threat actor strategies are constantly evolving.

The analysis reveals that artificial intelligence has limited sophistication, even though it enables rapid operations scaling and the generation of ransomware. 

Claims that have been recycled or fabricated undermine credibility and suggest that there may be gaps in execution despite the innovative use of artificial intelligence.

FakeUpdates (SocGholish) was the most prevalent malware in December affected 5% of organizations around the world. While AgentTesla (3%), Androxgh0st (3%), and FakeUpdates (SocGholish) were the next most prevalent malware. 

In order to compromise organizations all over the world, these threats utilized a wide variety of methods, such as the theft of credentials and the attack of cross-platform botnets.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

FakeUpdates is a JavaScript downloader that installs malware like AgentTesla (a keylogger and information stealer), Androxgh0st (a multi-platform botnet targeting servers), Remcos (a remote access trojan exploiting Office documents), and AsyncRat (a Trojan collecting system information and executing commands) on compromised systems.

Trojans such as NJRat, Rilide, and Amadey have a wide range of capabilities that include the theft of data, remote access, and the distribution of malware for malicious purposes. 

A botnet known as Phorpiex is responsible for the dissemination of malware and the facilitation of spam campaigns. While Formbook is marketed as a MaaS, it is an information stealer that employs powerful evasion techniques. 

Anubis is a banking trojan with RAT, keylogging, and ransomware capabilities that topped mobile threats in December, followed by Necro, which is a trojan dropper, and Hydra is a banking trojan that steals credentials by exploiting banking app permissions.

Cyberattacks predominantly targeted Education/Research institutions, followed by Communications and Government/Military entities that highlight the heightened risk profile of sectors with complex, interconnected infrastructures and a wealth of sensitive data.

According to Check Point Research, FunkSec is an emerging group utilizing double extortion that led ransomware activity in December, followed by RansomHub, which is a RaaS known for targeting VMware ESXi and LeakeData, which is a newly identified entity operating a clear web DLS with unclear intentions. 

While persistent threats such as FakeUpdates, AgentTesla, and mobile malware continued to affect the threat landscape in December 2024, FunkSec utilized artificial intelligence in ransomware attacks. 

Critical infrastructure vulnerabilities and the rise of emerging groups underscore the need for organizations to proactively adapt with advanced technologies, real-time threat intelligence, and robust defense strategies to mitigate evolving cyber risks.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar