Cybersecurity experts have released a ransomware stock decryptor called Funksec to allow victims to recover access to their files for free.
“The ransomware is now considered dead, so we released a decryptor for publication,” said Gen digital researcher Ladislav Zezula.
According to data from Ransomware.live, Funksec, which emerged towards the end of 2024, claims 172 casualties. The majority of target entities are in the US, India and Brazil, and are the top three sectors where technology, government and education have been attacked by groups.
A checkpoint-by-checkpoint analysis at the beginning of January this year found that cryptors were developed with the support of artificial intelligence (AI) tools. The group has not added new victims to the data leak site since March 18, 2025, suggesting that the group is no longer active.
It is also believed that the group consisted of inexperienced hackers seeking visibility and recognition by uploading leaked datasets related to previous Hackitivism campaigns.
Funksec was built using Rust, a fast and efficient programming language popular among new ransomware groups. Other families like Black Cats and Agenda also use rust to quickly execute attacks and avoid detection. Funksec relies on the Orion-RS library (version 0.17.7) for encryption to use the Chacha20 and Poly1305 algorithms to lock files during routines.
“This hash-based method ensures the integrity of the encryption key, n-once, block length, and encryption parameters of the encrypted data itself,” Zezula said. “The file is encrypted every 128-byte block, adding 48 bytes of additional metadata to each block, meaning that the encrypted file is about 37% larger than the original.”
Gen Digital did not reveal how decryption devices could be developed or whether it would involve exploitation of the weaknesses of encryption that could reverse the encryption process. The Decryptor is accessible via the No More Ransom Project.
Victims considering recovering data should first ensure that the encrypted files match the Funksec signature. No More Ransom Portal provides basic usage instructions, but administrators recommend that you back up affected files before attempting to decrypt in the event of partial recovery or file corruption.
