FunkSec Ransomware Victims Get a Break Decryptor Released as Group Fades
Victims of the FunkSec ransomware can now breathe a sigh of relief. With the cybercriminal group seemingly gone silent, a free decryptor has been released, potentially unlocking files held hostage by the malicious software.
Cybersecurity experts have just released a free decryptor, meaning you can potentially get your files back without paying a ransom.
According to Gen Digital researcher Ladislav Zezula, "Because the ransomware is now considered dead, we released the decryptor for public download." You can read more about their research here.
So, what exactly *is* FunkSec? This ransomware, which surfaced in late 2024, reportedly hit 172 victims. Data suggests the U.S., India, and Brazil were the hardest hit, with technology, government, and education sectors being prime targets.
Earlier this year, Check Point researchers suggested that FunkSec might have been developed with the help of AI. Interestingly, the group hasn't added any new victims to their leak site since March 18, 2025, leading some to believe they've gone quiet.
Rumor has it that FunkSec was the work of relatively inexperienced hackers looking for their 15 minutes of fame by leaking data from old hacktivism campaigns.
Under the hood, FunkSec used Rust, a popular and speedy programming language favored by newer ransomware gangs. BlackCat and Agenda are other ransomware families that use Rust to make their attacks faster and harder to detect. FunkSec used the orion-rs library (version 0.17.7) for encryption, employing Chacha20 and Poly1305 algorithms to lock up your precious files.
Zezula explained that FunkSec uses a "hash-based method" to ensure the encryption parameters' integrity. This includes the encryption key, nonce, block lengths, and the encrypted data itself. He also noted that files are encrypted in 128-byte blocks, adding an extra 48 bytes of metadata to each block, resulting in encrypted files being about 37% larger than the originals.
Gen Digital hasn't revealed exactly *how* they cracked the encryption, but you can access the decryptor through the No More Ransom project.
Before you jump in and try to recover your data, make sure your encrypted files actually match FunkSec's signature. This usually means looking for the ".funksec" extension or the unique metadata padding. The No More Ransom portal provides basic instructions, but remember to back up your affected files *before* attempting decryption. That way, even if something goes wrong, you won't lose everything!
