Operator dossier

funksec is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 172 public victims claimed by this operator between December 4, 2024 and March 18, 2025. Funksec is a recently emerged ransomware group first observed in December 2024, operating with apparent financial motivations based on their targeting patterns and victim acquisition approach. The group's origin and potential state affiliations remain unclear due to their recent emergence, though they appear to operate independently rather than as a Ransomware-as-a-Service model based on available intelligence. With 172 documented victims across multiple countries, Funksec has demonstrated a broad targeting approach, primarily focusing on the United States, India, Brazil, Spain, and Israel, with particular emphasis on technology companies, government entities, educational institutions, and business services organizations. The group's attack methodology, encryption techniques, and specific tactics, techniques, and procedures remain largely undocumented by major threat intelligence firms, though their rapid victim acquisition suggests an established operational capability. Given the group's recent discovery in December 2024, there have been no widely reported major campaigns or high-profile incidents that have drawn significant public attention from law enforcement or cybersecurity organizations. Funksec remains active as of early 2025, continuing to target organizations across their established geographic and sectoral preferences.

Most-targeted sectors

Not Found44 victims
Technology34 victims
Government21 victims
Education18 victims
Business Services15 victims
Financial10 victims

Most-affected countries

IN23 victims
US23 victims
BR10 victims
IL6 victims
ES6 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

funksec

172 victims indexed · first seen 1 year ago · last activity 1 year ago

172

Victims indexed

#50 of 348 tracked operators

Active period

Dec 2024 → Mar 2025

Countries hit

top IN · 23

At a glance

Status: inactive
First seen: 1 year ago
Last activity: 1 year ago
Onion sites: 2 known endpoints
Primary sector: Not Found · 44 hits

About

Funksec is a recently emerged ransomware group first observed in December 2024, operating with apparent financial motivations based on their targeting patterns and victim acquisition approach. The group's origin and potential state affiliations remain unclear due to their recent emergence, though they appear to operate independently rather than as a Ransomware-as-a-Service model based on available intelligence. With 172 documented victims across multiple countries, Funksec has demonstrated a broad targeting approach, primarily focusing on the United States, India, Brazil, Spain, and Israel, with particular emphasis on technology companies, government entities, educational institutions, and business services organizations. The group's attack methodology, encryption techniques, and specific tactics, techniques, and procedures remain largely undocumented by major threat intelligence firms, though their rapid victim acquisition suggests an established operational capability. Given the group's recent discovery in December 2024, there have been no widely reported major campaigns or high-profile incidents that have drawn significant public attention from law enforcement or cybersecurity organizations. Funksec remains active as of early 2025, continuing to target organizations across their established geographic and sectoral preferences.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/funksec

Timeline

4 months

2024-12-01T00:00:00+00:002025-03-01T00:00:00+00:00

Top countries

🇮🇳 IN

🇺🇸 US

🇧🇷 BR

🇮🇱 IL

🇪🇸 ES

🇪🇬 EG

🇲🇳 MN

🇫🇷 FR

IN dossier →US dossier →BR dossier →IL dossier →

Top sectors

Not Found

Technology

Government

Education

Business Services

Financial

Healthcare

Transportation/Logistics

Not Found dossier →Technology dossier →Government dossier →Education dossier →

MITRE ATT&CK

5 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1204User Execution
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known

http://funksecsekgasgjqlzzkmcnutrrrafavpszijoilbd6z3dkbzvqu43id.onion
http://funkxxkovrk7ctnggbjnthdajav4ggex53k6m2x3esjwlxrkb3qiztid.onion

Source

Updated 1 year ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.