Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
FunkSec ransomware recovery team on standby
FunkSec published over 85 victims in December 2024 alone — surpassing every other ransomware group that month — using AI-assisted malware development and demanding unusually low ransoms of around $10,000. Do not attempt decryption or negotiation alone; isolate infected systems and contact UnderDefense's incident response team immediately.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a FunkSec attack can make a huge difference and help you make a full recovery. Request 24/7 FunkSec ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Watch for FunkSec’s indicators of compromise: .funksec file extensions on encrypted files, ransom notes in user directories, evidence of phishing email origins in mailbox logs, disabled Windows Defender via PowerShell, deleted shadow copies (vssadmin delete shadows), and tools used for lateral movement (PsExec, RDP). FunkSec employs double extortion with data exfiltration before encryption.
FunkSec operators use generative AI (likely ChatGPT, Claude, or similar) to rapidly develop and refine ransomware variants, enabling fast iteration and new evasion techniques without requiring experienced malware developers.
Uses standard symmetric encryption for speed paired with public-key encryption, with AI-generated variants potentially optimizing encryption algorithms for speed or evasion detection.
Unlike other RaaS groups targeting high-value victims, FunkSec operates on volume—attacking hundreds of organizations with low ransom demands ($10,000–$50,000)—to maximize total revenue through sheer numbers.
Exfiltrates sensitive data before encryption and threatens publication on dark web leak sites, using both encryption pressure and data-breach pressure to maximize negotiation likelihood.
Ransom notes appear in user directories and on system root, directing victims to access a Tor .onion site with a unique victim ID for negotiation.
No public decryptor exists for FunkSec. The hybrid AES-256 + RSA-2048 encryption with private keys held by operators makes decryption impossible without ransom payment.
Indicators are identified through phishing email analysis, endpoint detection and response systems, ransom note patterns, and dark web leak site monitoring.
File extensions
.funksec (primary), occasionally .FunkSec or .FUNKSEC (case variations)
Ransom note filenames
README.txt, FUNKSEC_README.txt, RESTORE_YOUR_FILES.txt, placed in user desktop and document directories
FunkSec hashes
SHA256 hashes vary rapidly due to AI-assisted code generation; no single signature represents FunkSec variants. Check Point Research published representative samples from early FunkSec campaigns. Each variant is typically compiled with different parameters, making traditional hash-based detection ineffective.
FunkSec tools
– Initial access: Phishing emails with malicious attachments, credential stuffing, exploitation of unpatched vulnerabilities
– Persistence: Scheduled tasks, registry run keys, WMI event subscriptions
– Credential dumping: Mimikatz, procdump, lsass.exe memory extraction
– Lateral movement: PsExec, WinRM, RDP with stolen credentials, Kerberoasting
– Data exfiltration: Rclone to cloud storage (OneDrive, Google Drive), FileZilla, 7-Zip + FTP
– Encryption: FunkSec ransomware binary with AI-generated variants
– Defense evasion: PowerShell to disable Windows Defender, delete shadow copies, disable UAC
Most common red flag
Phishing email with malicious attachment followed within 2 hours by PowerShell command execution: `powershell.exe “Set-MpPreference -DisableRealtimeMonitoring $true; Remove-MpPreference -DisableRealtimeMonitoring”` and `vssadmin delete shadows /all /quiet`.
Attack vector | % of FunkSec incidents | Notes |
Phishing emails with malicious attachments | 48% | High-volume, generic phishing with macro-enabled documents or executables |
Credential stuffing / brute-force attacks | 28% | Using credentials from data breaches against common services (email, RDP, VPN) |
Unpatched external-facing vulnerabilities | 15% | Exchange, Fortinet, Cisco, RDP services without patches |
Insider threat or supply chain compromise | 9% | Compromised contractor or vendor with network access |
FunkSec victims typically experience compromise within 1–7 days of initial access (phishing or credential compromise). Rapid lateral movement and data exfiltration follow, with encryption deployed within 3–10 days. Organizations typically receive ransom notes demanding $10,000–$100,000. Due to low ransom demands relative to recovery costs, many organizations choose to pay rather than attempt recovery from backups. Documented victims across government, tech, finance, and education sectors have paid ransom demands averaging $25,000–$50,000. One documented victim in the tech sector paid $35,000 within 48 hours of encryption.
1. Isolate all infected systems from the network immediately to prevent lateral movement and further encryption.
2. Boot systems into safe mode and scan with updated antivirus/EDR tools to locate and remove the FunkSec binary.
3. Identify and remove any secondary persistence mechanisms (scheduled tasks, registry run keys, WMI event subscriptions) created during the attack.
4. Reset all user and administrative account passwords using an air-gapped, clean machine.
5. Search mailbox logs for phishing emails that may have initiated the attack and identify other recipients who may have opened malicious attachments.
6. Review network logs for lateral movement commands (PsExec, RDP sessions) and identify other potentially compromised systems.
7. Rebuild systems from clean images rather than attempting file-by-file malware removal, due to AI-generated variant diversity and potential for hidden persistence.
1. Restore encrypted files from clean backups created before the attack window (test backups in isolated environment first).
2. If no backups exist, decrypt files using the FunkSec decryption key (if obtained via ransom payment or law enforcement recovery).
3. Validate all restored files through integrity checks (MD5/SHA256 verification, application-level testing).
4. Implement network segmentation to prevent future lateral movement (isolate critical systems onto separate network segments).
5. Deploy endpoint detection and response (EDR) solutions on all systems to monitor for future intrusion attempts.
6. Implement continuous incremental backups with immutable storage.
7. Enforce multi-factor authentication on all critical systems and email accounts.
FunkSec operators typically demand $10,000–$100,000 depending on organization size and data sensitivity. Government and technology sector victims report demands averaging $25,000–$50,000. Unlike other RaaS groups, FunkSec operates on volume with intentionally low demands to maximize negotiation success rates and total revenue. Payment is demanded in cryptocurrency (Bitcoin or Monero).
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowFunkSec is a newly emerged ransomware group launched in late 2024 that rapidly became one of the most prolific ransomware operations globally. What distinguishes FunkSec is its use of generative AI (ChatGPT, Claude, or similar LLMs) to assist in malware development and code generation, allowing relatively inexperienced operators to rapidly produce sophisticated ransomware variants. Rather than targeting high-value organizations for large ransoms, FunkSec operates on a volume model with intentionally low ransom demands ($10,000–$50,000) to maximize negotiation success rates and total revenue.
Operational patterns suggest FunkSec operators are based in Eastern Europe or the CIS region. Language in communications and forum activity imply Russian or Ukrainian origin. No definitive geolocation has been published.
FunkSec attacks begin with phishing emails containing malicious attachments (Word macros, PDFs with embedded executables, or direct executable files) sent to large numbers of organizations. Alternatively, FunkSec affiliates use credential stuffing to compromise email, RDP, or VPN accounts using credentials obtained from data breaches. Once initial access is obtained, attackers disable Windows Defender via PowerShell, conduct lateral movement across the network using stolen credentials and tools like PsExec, exfiltrate sensitive data to cloud storage (Rclone), and finally deploy the FunkSec ransomware binary to encrypt all accessible files.
From initial phishing click to encryption and ransom demand, FunkSec attacks typically span 3–10 days. Initial access to lateral movement may take 1–3 days; data exfiltration spans 1–5 days; encryption deployment completes within 12–24 hours.
FunkSec-encrypted files cannot be decrypted without the private RSA-2048 key held by operators. Deletion of the ransomware stops further encryption but does not recover encrypted files. Recovery requires either paying the ransom for the decryption key or restoring from backups.
When FunkSec infects your systems, files are encrypted with .funksec extensions and become inaccessible. A ransom note (README.txt) appears on user desktops and system root, directing you to access a Tor website with your unique victim ID. Within 24–48 hours, a leak site posting appears on the dark web, threatening to publish exfiltrated data if you do not pay the ransom within 3–5 days.
Prevent FunkSec attacks by: (1) implementing robust email security with anti-phishing filters and user training to reduce phishing success rates; (2) conducting password audits against data breach databases (Have I Been Pwned) and forcing password resets on compromised accounts; (3) implementing multi-factor authentication on all email, RDP, and VPN accounts; (4) monitoring for and blocking suspicious PowerShell execution disabling Windows Defender; (5) deploying EDR solutions with behavioral detection for lateral movement and credential dumping; (6) maintaining immutable, off-site backups; (7) implementing network segmentation isolating critical systems; and (8) conducting monthly security awareness training on phishing recognition.
– Deploy robust email security filtering with anti-phishing detection and sandboxing of attachments
– Conduct monthly security awareness training on phishing email recognition and malicious attachment handling
– Audit all user accounts against data breach databases; reset passwords found in breaches
– Implement multi-factor authentication on all email, RDP, VPN, and administrative accounts
– Monitor for and alert on suspicious PowerShell execution (particularly Set-MpPreference commands)
– Deploy EDR solutions with behavioral detection for credential dumping and lateral movement
– Implement network segmentation isolating critical systems from general corporate networks
– Create daily incremental backups with immutable (write-once) offline storage
– Test backup restoration monthly to ensure recovery capability
– Monitor and alert on deletion of shadow copies (vssadmin delete shadows) on all systems
– Restrict local administrator access using privilege access management (PAM)
– Block macro execution in Microsoft Office by default; whitelist only required applications
FunkSec deliberately uses low ransom demands ($10,000–$50,000) as a business model targeting mid-market and small organizations that cannot afford the $100,000–$1,000,000+ demands of other groups. This volume strategy—attacking hundreds of organizations for low individual payouts—maximizes total revenue while improving ransom negotiation success rates. Many victims choose to pay $25,000 quickly rather than spend $200,000+ on recovery from backups, making FunkSec’s strategy economically rational.
FunkSec’s use of generative AI for malware development represents a significant shift in ransomware evolution. Rather than requiring experienced malware developers (expensive and rare), organizations can now use LLMs to generate functional ransomware code, identify evasion techniques, and rapidly prototype new variants. This dramatically lowers the skill barrier for ransomware deployment and enables faster iteration and evasion capability development. FunkSec’s rapid emergence (October–December 2024) and high victim count demonstrate the effectiveness of this approach and likely foreshadow a new wave of AI-assisted cybercriminal operations.