{"id":16157,"date":"2025-10-01T11:04:52","date_gmt":"2025-10-01T11:04:52","guid":{"rendered":"\/cybersecurity-blog\/?p=16157"},"modified":"2025-10-03T10:46:32","modified_gmt":"2025-10-03T10:46:32","slug":"funklocker-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/","title":{"rendered":"FunkSec\u2019s FunkLocker: How AI Is Powering the Next Wave of Ransomware\u00a0"},"content":{"rendered":"\n<p><em>Editor\u2019s note:<\/em><strong><em>\u00a0The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can\u00a0<\/em><\/strong><a href=\"https:\/\/x.com\/MauroEldritch\" target=\"_blank\" rel=\"noreferrer noopener\"><strong><em>find Mauro on X<\/em><\/strong><\/a><strong><em>.<\/em><\/strong>\u00a0<\/p>\n\n\n\n<p>AI is part of our lives whether we like it or not. Even if you are not quite a fan, or not a user at all, you probably came across multiple AI-generated avatars, pictures, scenes, videos, articles and even malware.&nbsp;<\/p>\n\n\n\n<p>All technological advancements are taken advantage of by society. They were discovered to be used, but some people just abuse them, and AI used for software development is not the exception.&nbsp;<\/p>\n\n\n\n<p>This time we\u2019ll analyze FunkLocker, a ransomware strain by the FunkSec <a href=\"https:\/\/any.run\/malware-trends\/ransomware\" target=\"_blank\" rel=\"noreferrer noopener\">Ransomware<\/a> group, whose creation was aided in an important part by artificial Intelligence.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AI-assisted development:<\/strong> FunkSec ransomware strains, including FunkLocker, show signs of \u201cAI snippet\u201d coding patterns (Ask AI \u2192 Paste snippet), making them easy to build but inconsistent in quality.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Multiple builds, mixed stability:<\/strong> Some versions are barely functional, while others integrate advanced features such as anti-VM checks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Aggressive disruption:<\/strong> FunkLocker forcefully terminates processes and services using predefined lists, often causing unnecessary errors but still leading to full system disruption.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>System tools abused:<\/strong> Legitimate Windows utilities like taskkill.exe, sc.exe, net.exe, and PowerShell are heavily misused to stop apps, disable defenses, and prepare for encryption.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Local-only encryption: <\/strong>Unlike many modern ransomware groups, FunkSec encrypts files locally without contacting a command-and-control server, using the .funksec extension.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ransom note quirks: <\/strong>Notes are dropped on the desktop, but system instability sometimes prevents victims from viewing them without a reboot.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Weak operational security:<\/strong> Reused BTC wallets and locally derived or hardcoded keys suggest sloppy practices. This has allowed researchers (e.g., Avast Labs) to build a <strong>public decryptor<\/strong> for FunkSec victims.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Key <\/strong><a href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>MITRE ATT&amp;CK techniques<\/strong><\/a>: FunkLocker activity maps to techniques such as Masquerading (T1036.005), Service Stop (T1489), PowerShell execution (T1059.001), Network Share Discovery (T1135), and Inhibit System Recovery (T1490), among others.&nbsp;<\/li>\n\n\n\n<li><strong>Detection<\/strong> <strong>and Response<\/strong>: <a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=funklocker_analysis&amp;utm_term=011025&amp;utm_content=linktoenterprisepage\" target=\"_blank\" rel=\"noreferrer noopener\">SOCs<\/a> can utilize <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=funklocker_analysis&amp;utm_term=011025&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN&#8217;s Interactive Sandbox<\/a> to safely detonate samples of FunkLocker, identify its malicious activities in seconds, and gather critical threat insights for fast mitigation of the attack. <\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Artificial Intelligence, Natural Evil&nbsp;<\/h2>\n\n\n\n<p>This is not the first time we see AI-aided malware, or even malware fully written by an AI. Just recently, another strain, PromptLocker, made it to the news,&nbsp;even though&nbsp;it was an educational non-malicious project. But FunkSec has been active for quite a while and even managed to publish many victims in their DLS.&nbsp;<\/p>\n\n\n\n<p>There are many samples, some more stable than others, and a few barely functional. Interestingly, the older builds (dating back to January of this year) included an anti-VM capability that detected virtualized environments with high accuracy before refusing to run.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"544\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-1-1024x544.png\" alt=\"\" class=\"wp-image-16167\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-1-1024x544.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-1-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-1-768x408.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-1-1536x815.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-1-2048x1087.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-1-370x196.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-1-270x143.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-1-740x393.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A FunkSec strain refusing to run<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>That build was also characterized by its livid colours displayed in the terminal text while running. This one, found in late July, features a monochromatic style and is missing the anti-VM feature. While this could indicate it being an older build, the lack of a standardized versioning schema, like other groups such as <a href=\"https:\/\/any.run\/malware-trends\/lockbit\/\" target=\"_blank\" rel=\"noreferrer noopener\">LockBit<\/a>,&nbsp; makes it hard to confirm.&nbsp;<\/p>\n\n\n\n<p>Here is FunkSec\u2019s AI-assisted ransomware <a href=\"https:\/\/app.any.run\/tasks\/4032b92d-c9bf-463b-a93b-dc2f95b73797\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=funklocker_analysis&amp;utm_term=011025&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">sample analyzed inside ANY.RUN\u2019s sandbox<\/a>:&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/funk_locker-1024x576.png\" alt=\"\" class=\"wp-image-16164\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/funk_locker-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/funk_locker-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/funk_locker-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/funk_locker-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/funk_locker-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/funk_locker-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/funk_locker-740x416.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/funk_locker.png 1838w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>FunkLocker execution inside ANY.RUN&#8217;s Interactive Sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The sandbox exposes the threat in seconds, providing an actionable TTP and IOC report for fast, confident response and mitigation.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDetect threats faster with ANY.RUN\u2019s <span class=\"highlight\">Interactive Sandbox<\/span><br> See full attack chain in seconds for immediate response&nbsp;  \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=funklocker_analysis&#038;utm_term=011025&#038;utm_content=linktoregistration#register\" target=\"_blank\" rel=\"noopener\">\nGet started with business email\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Victims and Target Regions&nbsp;<\/h2>\n\n\n\n<p>By early 2025, FunkSec had been linked to more than 120 compromized organizations worldwide, hitting targets in government institutions, the defense sector, tech companies, financial services, and higher education.&nbsp;<\/p>\n\n\n\n<p>The group\u2019s first reported attacks surfaced in November 2024, and in December they launched a dedicated data leak site to publicize stolen information. Since then, the tally of known victims has continued to grow, with estimates ranging from 120 to 170, and some trackers recording as many as 172 cases. Notably, at least 30 of these incidents involved organizations in the United States, alongside confirmed cases in India, Spain, and Mongolia.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Execution and Process Disruption&nbsp;<\/h2>\n\n\n\n<p>Immediately after execution, all our setup will go dark, and this is caused by the malware bashing its way through di\ufb00erent processes in order to stop them. Why bashing? Because it doesn\u2019t take a fraction of a second to list the running applications and stop them in a strategic way; it just acts on a predefined list, causing multiple errors when trying to stop non-existing ones.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"536\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-1024x536.png\" alt=\"\" class=\"wp-image-16201\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-1024x536.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-300x157.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-768x402.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-1536x803.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-2048x1071.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-270x141.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-740x387.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>FunkLocker bashing through processes, bat in hand<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It will also attempt to stop multiple services, again, matching them with a hardcoded predefined list, causing another set of errors. Some of these occur because the services are not running at all, and others because they simply can\u2019t be stopped due to dependencies from other services that rely on them to function.&nbsp;<\/p>\n\n\n\n<p>This seems like the result of someone individually studying which services to stop and adding them to a list, without adding a layer of context on which ones depend on others or which ones could actually not be running (optional).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"512\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/4-1024x512.png\" alt=\"\" class=\"wp-image-16202\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/4-1024x512.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/4-300x150.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/4-768x384.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/4-1536x768.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/4-2048x1024.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/4-370x185.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/4-270x135.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/4-740x370.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Applications being stopped forcefully<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This doesn\u2019t stop the malware from continuing its raid, and eventually the file&nbsp;system is encrypted. The first and most obvious change is the extension of our files, which is now .funksec, but there\u2019s more than meets the eye.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s take a look at the process tree behind the sample. FunkLocker \u2014 aside from clubbing everything in its reach \u2014 is pretty \u201cstructured\u201d, where each of its steps is represented by a legit system tool being abused or a PowerShell script executed procedurally, suggesting an &#8220;Ask AI \u2192 Get snippet \u2192 Paste snippet&#8221; development cycle.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"926\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-1024x926.png\" alt=\"\" class=\"wp-image-16203\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-1024x926.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-300x271.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-768x695.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-1536x1389.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-2048x1852.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-370x335.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-270x244.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-740x669.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>FunkLocker&#8217;s process tree shown in ANY.RUN&#8217;s Interactive Sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">PowerShell and System Abuse&nbsp;<\/h2>\n\n\n\n<p>The PowerShell routine is based on four commands:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The first one stops Windows Defender via DisableRealtimeMonitoring.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The second one relies on wevtutil to deactivate Security Events logging.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The third one uses wevtutil again to deactivate Application Events logging.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The fourth and final one sets the Execution Policy to Bypass, allowing unrestricted PowerShell execution during that session.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Abused tools include net.exe and its compatibility-mode counterpart net1.exe, used to check if there are any network sessions established.&nbsp;<\/p>\n\n\n\n<p>taskkill.exe is used naturally to stop applications or tasks \u2014 in this case used to forcefully stop browsers like Chrome, Firefox, and Edge, daily-use apps like Notepad, Skype, Spotify, programming environments like Java, Python, and Node, and even Steam, among a long list of other apps.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"706\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6-706x1024.png\" alt=\"\" class=\"wp-image-16174\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6-706x1024.png 706w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6-207x300.png 207w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6-768x1113.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6-370x536.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6-270x391.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6-740x1073.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6.png 872w\" sizes=\"(max-width: 706px) 100vw, 706px\" \/><figcaption class=\"wp-element-caption\"><em>Arbitrary list of apps to be stopped<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>sc.exe, which is Windows Service Control, is used as a tool (or club) to stop services like Windows Defender &amp; Firewall, SMB (Shared Folders), the Event Log, the Shell Experience Host (which is why our screen turns black), and other absolutely not-necessary services like Bluetooth or Audio.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Encryption and Ransom Note&nbsp;<\/h2>\n\n\n\n<p>After that, Shadow Volume Copies are taken care of, deleted, by abusing the Volume Shadow Service Administrator (vssadmin) to wipe them silently. This prevents the victim from locally restoring the system to a previous state, e\ufb00ectively removing any chance of rollback using Windows\u2019 built-in recovery mechanisms.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"534\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-1024x534.png\" alt=\"\" class=\"wp-image-16206\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-1024x534.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-300x156.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-768x401.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-1536x801.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-2048x1068.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-370x193.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-270x141.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-740x386.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The ransomware deletes Shadow Volume Copies<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Now for the encryption part \u2014 FunkLocker didn\u2019t attempt to contact a remote server at any time, as all the encryption process occurred locally. We\u2019ve seen similar behavior in a previous article when we analyzed <a href=\"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mamona Ransomware<\/a>.&nbsp;<\/p>\n\n\n\n<p>While this may seem like it could make the malware easier to hide and harder to track \u2014 due to the lack of network infrastructure in the short term \u2014 it is beneficial in the long run, and you\u2019ll soon see why.&nbsp;<\/p>\n\n\n\n<p>The ransom note is dropped right on the desktop but, with the unnecessary killing of the Shell Experience Host service, we\u2019re left with few chances but to reboot our server to view it (if it ever boots again after its intense contusions session).&nbsp;<\/p>\n\n\n\n<p>Luckily, <a href=\"https:\/\/any.run\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN&#8217;s Interactive Sandbox<\/a> has a reliable system which allows us to capture any created, deleted or modified file directly from its GUI. So, let\u2019s take a look.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2092\" height=\"1304\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-1024x638.png\" alt=\"\" class=\"wp-image-16178\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-1024x638.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-300x187.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-768x479.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-1536x957.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-2048x1277.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-370x231.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-270x168.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-740x461.png 740w\" sizes=\"(max-width: 2092px) 100vw, 2092px\" \/><figcaption class=\"wp-element-caption\"><em>A ransom note captured by ANY.RUN filesystem hook<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>From here we can notice a BTC address which, after a quick inspection, shows that it has transacted just a few times for around $3,000 USD, suggesting once again that this wallet is shared across di\ufb00erent victims or is a default one.&nbsp;<\/p>\n\n\n\n<p>Using this instead of receiving a unique wallet, summed up with the technical aspects we saw before. And the chances of encryption keys being either derived locally or hardcoded, highlights the \u201chomemade AI-assisted\u201d fashion of this strain.&nbsp;<\/p>\n\n\n\n<p>This is where things get shinier for victims, because deriving keys locally (or having them hardcoded) greatly improves the chances of a decryptor being made. And this is exactly what happened: Avast Labs was able to create a decryptor for FunkSec, which will give some hope to a\ufb00ected organisations.&nbsp;<\/p>\n\n\n\n<p>After sharing the bad news (ransomware) and the good news (decryptors), it&#8217;s time to move on to the ATT&amp;CK Matrix, which ANY.RUN does automatically for us.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">MITRE ATT&amp;CK Techniques&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"420\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-1-1024x420.png\" alt=\"\" class=\"wp-image-16182\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-1-1024x420.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-1-300x123.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-1-768x315.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-1-1536x629.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-1-2048x839.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-1-370x152.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-1-270x111.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-1-740x303.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN&#8217;s Interactive Sandbox maps TTPs to the MITRE ATT&amp;CK matrix<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>FunkLocker does a lot of things which could be pinned down individually and used as &#8220;footprints&#8221; to understand how it works:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-254\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"9\"\n           data-wpID=\"254\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Technique ID\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Technique name\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Observed behaviour \/ notes\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1036.005\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Masquerading: Match Legitimate Resource Name or Location\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        The malware creates files with names similar to legitimate system files and drops them directly in the system drive root.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1569.002\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Service Execution: Service Commands\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Launches sc.exe to manage Windows services (e.g., stopping them as part of its disruption routine).\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1007\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        System Service Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Uses sc.exe to query or discover system services before acting on them.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1489\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Impact: Service Stop\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Executes taskkill.exe to forcefully terminate: - O\ufb03ce apps - Running processes - Web browsers like Chrome, Firefox, Edge\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059.001\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Command and Scripting Interpreter: PowerShell\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Runs multiple PowerShell commands to: - Disable Windows Defender real-time protection - Change the execution policy to Bypass (allowing unrestricted script execution)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1135\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Discovery: Network Share Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Uses net.exe to display or manage information about current active sessions.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1490\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Impact: Inhibit System Recovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Deletes Volume Shadow Copies using vssadmin delete shadows \/all \/quiet to prevent recovery via system restore points.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1562.001\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Defense Evasion: Disable or Modify Tools\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Modifies Windows Defender configuration to weaken or disable protection mechanisms.\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-254'>\ntable#wpdtSimpleTable-254{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-254 td, table.wpdtSimpleTable254 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">How Security Teams Should Respond&nbsp;<\/h2>\n\n\n\n<p>FunkSec shows how AI is changing the pace and style of ransomware development. For security leaders, the lesson is less about one strain and more about the trend it represents. A few priorities stand out:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Prioritize behavioral detection: <\/strong>Static indicators aren\u2019t enough when code can be generated and tweaked with AI. Monitoring behaviors, especially misuse of system tools, becomes essential.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Invest in rapid visibility:<\/strong> The longer it takes to understand what\u2019s happening inside an endpoint, the higher the cost of downtime. Tools that reveal the full execution chain within minutes are critical.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Test your recovery: <\/strong>With shadow copies removed, recovery depends on isolated backups and practiced response playbooks. Tabletop exercises should assume ransomware disables standard rollback options.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Close the skill gap: <\/strong>AI makes it easier for criminals to write malware, but defenders can also lean on AI-driven or interactive platforms to augment analysts and shorten investigation times.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>The takeaway<\/strong>: FunkSec isn\u2019t just about today\u2019s attacks. It\u2019s a signal that the future of ransomware will be <strong>faster, messier, and more frequent, <\/strong>and security leaders should prepare their defenses accordingly.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=funklocker_analysis&amp;utm_term=011025&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> to streamline malware investigations worldwide.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Speed up triage and response by detonating suspicious files in <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=funklocker_analysis&amp;utm_term=011025&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a>, observing malicious behavior in real time, and gathering insights for faster, more confident security decisions. Paired with <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=funklocker_analysis&amp;utm_term=011025&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> and <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=funklocker_analysis&amp;utm_term=011025&amp;utm_content=linktofeeds\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>, it provides actionable data on cyberattacks to improve detection and deepen your understanding of evolving threats.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=funklocker_analysis&amp;utm_term=011025&amp;utm_content=linktoenterpriseform#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Explore more ANY.RUN\u2019s capabilities during 14-day trial\u2192<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Further Reading and IOCs&nbsp;<\/h2>\n\n\n\n<p><strong><a href=\"https:\/\/app.any.run\/tasks\/4032b92d-c9bf-463b-a93b-dc2f95b73797\" target=\"_blank\" rel=\"noreferrer noopener\">ANY RUN&#8217;s sandbox session<\/a><\/strong><\/p>\n\n\n\n<p><strong>FunkLocker Decrypted:<\/strong> <a href=\"https:\/\/www.gendigital.com\/blog\/insights\/research\/funksec-ai\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.gendigital.com\/blog\/insights\/research\/funksec-ai<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>SHA256<\/strong>:&nbsp;c233aec7917cf34294c19dd60\ufb0079a6e0fac5ed6f0cb57af98013c08201a7a1c&nbsp;<\/p>\n\n\n\n<p><strong>FileName<\/strong>: C:\\Users\\admin\\Desktop\\README-ZasRvdSR44.md&nbsp;<\/p>\n\n\n\n<p><strong>SHA256: <\/strong>e29d95bfb815be80075f0f8bef4fa690abcc461e31a7b3b73106bfcd5cd79033&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note:\u00a0The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can\u00a0find Mauro on X.\u00a0 AI is part of our lives whether we like it or not. Even if you are not quite a fan, or not a user at all, you probably came across multiple AI-generated avatars, pictures, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":16195,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34,40],"class_list":["post-16157","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>FunkLocker Analysis: AI-powered Ransomware from FunkSec APT<\/title>\n<meta name=\"description\" content=\"Discover a technical analysis of AI-based ransomware FunkLocker from the FunkSec APT that is targeting businesses worldwide.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mauro Eldritch\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/\"},\"author\":{\"name\":\"Mauro Eldritch\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"FunkSec\u2019s FunkLocker: How AI Is Powering the Next Wave of Ransomware\u00a0\",\"datePublished\":\"2025-10-01T11:04:52+00:00\",\"dateModified\":\"2025-10-03T10:46:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/\"},\"wordCount\":1983,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/\",\"name\":\"FunkLocker Analysis: AI-powered Ransomware from FunkSec APT\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-10-01T11:04:52+00:00\",\"dateModified\":\"2025-10-03T10:46:32+00:00\",\"description\":\"Discover a technical analysis of AI-based ransomware FunkLocker from the FunkSec APT that is targeting businesses worldwide.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"FunkSec\u2019s FunkLocker: How AI Is Powering the Next Wave of Ransomware\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mauro Eldritch\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"caption\":\"Mauro Eldritch\"},\"description\":\"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"FunkLocker Analysis: AI-powered Ransomware from FunkSec APT","description":"Discover a technical analysis of AI-based ransomware FunkLocker from the FunkSec APT that is targeting businesses worldwide.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/","twitter_misc":{"Written by":"Mauro Eldritch","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/"},"author":{"name":"Mauro Eldritch","@id":"https:\/\/any.run\/"},"headline":"FunkSec\u2019s FunkLocker: How AI Is Powering the Next Wave of Ransomware\u00a0","datePublished":"2025-10-01T11:04:52+00:00","dateModified":"2025-10-03T10:46:32+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/"},"wordCount":1983,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/","name":"FunkLocker Analysis: AI-powered Ransomware from FunkSec APT","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-10-01T11:04:52+00:00","dateModified":"2025-10-03T10:46:32+00:00","description":"Discover a technical analysis of AI-based ransomware FunkLocker from the FunkSec APT that is targeting businesses worldwide.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/funklocker-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"FunkSec\u2019s FunkLocker: How AI Is Powering the Next Wave of Ransomware\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Mauro Eldritch","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","caption":"Mauro Eldritch"},"description":"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/16157"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=16157"}],"version-history":[{"count":33,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/16157\/revisions"}],"predecessor-version":[{"id":16238,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/16157\/revisions\/16238"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/16195"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=16157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=16157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=16157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}