A factor in bad actors using AI for their nefarious operations is that the emerging technology allows hackers with little expertise to launch more sophisticated cyberattacks than what they might have done on their own.

Check Point researchers say a new ransomware group, dubbed “FunkSec,” may be one of those threat groups.

According to the cybersecurity firm, FunkSec came onto the scene late last year, claiming on its new data leak site (DLS) in December more than 85 victims, significantly higher than any other groups that month.

FunkSec presents itself as a ransomware-as-a-service (RaaS) gang that appears to come with some hacktivist leanings but has no known connections to any other ransomware group and with little information about where they come from, what they do, or how they do it, the researchers wrote in a report.

A deeper dive into the group seems to indicate that it comprises low-skilled bad actors who are using data from campaigns of other cybercriminals to bolster their claim of 85-plus victims last month and generate attention, they wrote.

“Our analysis of the group’s activity indicates that the impressive numbers of published victims may mask a more modest reality both in terms of actual victims as well as the group’s level of expertise,” the researchers wrote. “Most of FunkSec’s core operations are likely conducted by inexperienced actors. In addition, it is difficult to verify the authenticity of the leaked information as the group’s primary goal appears to be to gain visibility and recognition.”

They added that “evidence suggests that in some instances, the leaked information was recycled from previous hacktivist-related leaks, raising questions about its authenticity.”

AI Democratizing Cybercrime

Generative AI is giving bad actors a new and powerful automation tool to launch cyberattacks, helping them in such areas as creating more legitimate-looking phishing messages to finding flaws in their code. The combination of the growing cybercrime-as-a-service trend and AI means more hackers are able to launch more complex attacks.

Cybersecurity pros are warning organizations and vendors to expect more such democratization of cybercrime as 2025 plays out. In a blog on LinkedIn last month, Dan Lohrmann, field CISO
Field Chief information Security Officer (CISO) for the public sector for IT solutions provider Presidio, predicated that this year, “automated hacking tools, powered by AI, will proliferate on dark web marketplaces, enabling low-skilled actors to execute advanced attacks.”

Cybersecurity vendor Abnormal Security noted that in a white paper, an ethical hacker called “FreakyClown” – or simply “FC” – said AI is driving the growth of cybercrime services and the rise of less-skilled bad actors. He pointed to Beryllium Security, a company that develops AI-powered tools for cybersecurity pros and organizations. It’s Nebula AI-powered assistant can be used by hackers, “who can interact with the computer using natural language – making it possible for hackers to use it to do the heavy lifting of commands and execution to target vulnerable people and organizations,” Abnormal wrote.

‘Relatively Inexperienced’ Hackers

In FunkSec’s case, the group’s tools include a custom encryptor that Check Point researchers said probably was created by a “relatively inexperienced malware author based in Algeria,” and that the encryptor and other tools were “likely AI-assisted, which may have contributed to their rapid iteration despite the author’s apparent lack of technical expertise.”

They also said FunkSec’s rise puts a spotlight on the blurring line between hacktivism and cybercrime, the struggles with separating one from the other, and whether a distinction exists or even if the hackers themselves are aware of it or care.

More so, the case calls for the need to develop more objective methods for assessing the risks posed by particular ransomware groups. Right now, current assessments rely on the public claims of the ransomware groups themselves. That makes it difficult to determine the threat of a group like FunkSec, which has ransomware tools but whose claims of attacks can’t be trusted.

RaaS, DDoS, and Double Extortion

“The group uses double extortion tactics, combining data theft with encryption to pressure victims into paying ransoms,” the researchers wrote of FunkSec. “Their DLS features breach announcements, a custom-developed DDoS [distributed denial-of-service] tool, and, more recently, a custom ransomware offered as a Ransomware-as-a-Service (RaaS).”

The hackers may have claimed dozens of victims, but they also demanded relatively low ransom payments – some as low as $10,000 – and offered to sell stolen data to other hackers at reduced prices. FunkSec’s “activities are widely discussed in cybercrime forums, further contributing to their growing notoriety,” they wrote.

Hacktivists or Criminals?

The group’s motivations seem to fall into both hacktivism – they grabbed onto the “Free Palestine” movement, claimed to associate with hacktivists groups like Ghost Algeria and Cyb3r Fl00d, and targeted organizations in the United States and India – and cybercrime, with some members having previously participated in hacktivism. In addition, Check Point wrote that their custom ransomware is evolving quickly – with some versions published days apart – and their website updated to boast of the new features. For example, with V1.5, they bragged of the ransomware’s low rate of detection.

A key member of the group is called “Scorpion” – those they use other aliases, including “DesertStorm” – who in October 2024 introduced FunkSec via a YouTube video that purported to include a leaked call between then-presidential candidate Donald Trump and Israeli Prime Minister Benjamin Netanyahu that turned out to be AI-generated.

A subsequent DesertStorm post inadvertently included screenshots indicating their Algeria location.