{
  "name": "Analysis: AI-powered Ransomware from APT Group",
  "slug": "analysis-ai-powered-ransomware-from-apt-group",
  "description": "FunkLocker, a ransomware strain developed by the FunkSec APT group, showcases the growing trend of AI-assisted malware creation. The ransomware exhibits inconsistent quality across multiple builds, with some versions incorporating advanced features like anti-VM checks. It aggressively disrupts system processes, abuses legitimate Windows utilities, and encrypts files locally without contacting a command-and-control server. FunkSec's operational security is weak, allowing researchers to develop a public decryptor. The group has compromised over 120 organizations worldwide, targeting sectors such as government, defense, technology, finance, and education. FunkLocker's behavior maps to several MITRE ATT&CK techniques, including process termination, service stoppage, and inhibiting system recovery.",
  "published": "2025-10-02T05:43:35+00:00",
  "created_at": "2025-10-02T05:43:35+00:00",
  "modified_at": "2025-10-02T06:15:03+00:00",
  "created_at_opencti": "2025-10-02T05:43:35+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-10-02",
    "ai-assisted",
    "encryption",
    "funklocker",
    "powershell",
    "process-disruption",
    "ransomware",
    "system-abuse"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "e29d95bfb815be80075f0f8bef4fa690abcc461e31a7b3b73106bfcd5cd79033"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:c4504ed1236e8c19",
        "name": "FunkLocker",
        "slug": "funklocker"
      }
    ],
    "intrusion_sets": [
      {
        "id": "16730588-ebbd-4bf8-80fc-a5cbb85f487d",
        "name": "FunkSec",
        "slug": "funksec"
      }
    ],
    "attack_patterns": [
      {
        "id": "1eef7f88-3992-4add-899e-a7cc9fcdd5b3",
        "name": "T1569.002"
      },
      {
        "id": "d5c953ff-b143-41b6-bf2d-87b829132ea5",
        "name": "T1135"
      },
      {
        "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f",
        "name": "T1490"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Mongolia"
      },
      {
        "id": "",
        "name": "British Indian Ocean Territory"
      },
      {
        "id": "",
        "name": "India"
      },
      {
        "id": "",
        "name": "Spain"
      },
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "Defense"
      },
      {
        "id": "",
        "name": "Education"
      },
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://any.run/cybersecurity-blog/funklocker-malware-analysis/",
    "https://otx.alienvault.com/pulse/68de2d27cb8854b0aa46a976"
  ]
}