Hacktivist groups FunkSec, KillSec, and GhostSec have evolved from politically motivated cyber activism into financially driven ransomware-as-a-service (RaaS) operations, expanding their victimology and tactics. This shift reflects a broader trend of hacktivist groups adopting cybercriminal methodologies to maximize profits through double extortion and affiliate programs. #FunkSec #KillSec #GhostSec
Keypoints
- FunkSec, KillSec, and GhostSec transitioned from hacktivism to ransomware operations between 2023 and 2025, adopting ransomware-as-a-service business models.
- These groups expanded their targets from government entities to various sectors including education, technology, finance, and manufacturing, across multiple countries.
- They employ double extortion tactics by exfiltrating data and encrypting victims’ files, pressuring ransom payments and leveraging dedicated leak sites.
- FunkSec uses AI-generated ransomware tools like FunkLocker, enabling rapid victimization of over 170 organizations since December 2024.
- KillSec launched multi-platform ransomware variants, including lockers for Windows and ESXi environments, and offers additional services such as penetration testing and data sales.
- GhostSec partnered with the Stormous group and other affiliates in “The Five Families” collective, released GhostLocker ransomware and GhostStealer infostealer, before retiring from cybercrime in mid-2024.
- The evolution reflects a growing convergence of hacktivism and cybercrime, complicating attribution and defense strategies amid increasing ransomware ecosystem sophistication.
MITRE Techniques
- [T1486] Data Encrypted for Impact – Groups encrypt victim files to demand ransom. (“KillSecurity 2.0 and KillSecurity 3.0, are designed to encrypt files and demand ransom payments for decryption.”)
- [T1567] Exfiltration Over Web Service – Exfiltrated victim data is leaked or sold on dedicated leak sites. (“The group operates an active dedicated leak site (DLS) to which it uploads the data of victims who refuse to pay the ransom.”)
- [T1071.001] Application Layer Protocol: Web Protocols – Groups advertise ransomware and sell data via dark web forums and websites. (“FunkSec’s transition being referenced on a Russian-speaking dark web forum.”)
- [T1588] Obtain Capabilities – Use of ransomware builders and MaaS tools, including AI-generated payloads. (“FunkSec… with their encryptor, FunkLocker, and some of the malware’s source code allegedly generated using generative AI tools.”)
- [T1569] System Services: Service Execution – Use of customized ransomware builders with configurable deployment features. (“KillSec… enabling affiliates to customize ransomware configurations using a builder tool.”)
- [T1592] Gather Victim Network Information – Data gathering services offered to affiliates to support ransom operations. (“KillSec’s services, which include penetration testing, data gathering, and its RaaS program.”)
Indicators of Compromise
- [Darkweb Domains] FunkSec dark web DLS – funksec53xh7j5t6ysgwnaidj5vkh3aqajanplix533kwxdz3qrwugid[.]onion, funksec7vgdojepkipvhfpul3bvsxzyxn66ogp7q4pptvujxtpyjttad[.]onion
- [Clearweb Domain] FunkSec public DLS – http://funksec[.]top
- [SHA256 Hash] GhostSec malware samples – 8b758ccdfbfa5ff3a0b67b2063c2397531cf0f7b3d278298da76528f443779e9, c9c9f71fc4f385a4469438ef053e208065431b123e676c17b65d84b6c69ef6748 (and others)
- [Darkweb Domain] KillSec DLS – http://ks5424y3wpr5zlug5c7i6svvxweinhbdcqcfnptkfcutrncfazzgz5id[.]onion
- [IP Addresses] KillSec infrastructure – 82[.]147[.]84[.]98, 77[.]91[.]77[.]187
- [Telegram Channel] KillSec communications – https://t.me/killsecc