Cybersecurity experts have released a decryptor for a ransomware strain called FunkSec, allowing victims to recover access to their files for free.
“Because the ransomware is now considered dead, we released the decryptor for public download,” Gen Digital researcher Ladislav Zezula said.
FunkSec, which emerged towards the end of 2024, has claimed 172 victims, according to data from Ransomware.live. The vast majority of targeted entities are located in the U.S., India, and Brazil, with technology, government, and education being the top three sectors attacked by the group.
An analysis of FunkSec by Check Point earlier this January found signs that the encryptor was developed with assistance from artificial intelligence (AI) tools. The group has not added any new victims to its data leak site since March 18, 2025, suggesting that the group may no longer be active.
It’s also believed that the group consisted of inexperienced hackers seeking visibility and recognition by uploading leaked datasets associated with previous hacktivism campaigns.
FunkSec was built using Rust, a fast and efficient programming language that’s now popular among newer ransomware groups. Other families, like BlackCat and Agenda, also use Rust to help their attacks run quickly and avoid detection. FunkSec relies on the orion-rs library (version 0.17.7) for encryption, using the Chacha20 and Poly1305 algorithms to lock files during its routine.
“This hash-based method ensures integrity of encryption parameters: the encryption key, n-once, block lengths, and encrypted data itself,” Zezula noted. “Files are encrypted per-blocks of 128 bytes, adding 48 bytes of extra metadata to each block, which means that encrypted files are about 37% bigger than the originals.”
Gen Digital did not disclose how it was able to develop a decryptor and if it entailed the exploitation of a cryptographic weakness that makes it possible to reverse the encryption process. The decryptor can be accessed via the No More Ransom project.
Victims looking to recover their data should first confirm that encrypted files match FunkSec’s signature, typically identified by the .funksec extension or unique metadata padding. The No More Ransom portal provides basic usage steps, but administrators are advised to back up affected files before attempting decryption in case of partial recovery or file corruption.
