The FunkSec ransomware group uses advanced evasion techniques to hide its presence, disable security measures, and encrypt various file types. It capitalizes on phishing attacks to infiltrate systems, employing PowerShell for execution. The group has been associated with a significant number of ransomware incidents globally, particularly affecting sectors like Manufacturing and Retail. Affected: Ransomware victims, Manufacturing, Retail, Business Services, Transportation, IT and Telecommunications, Healthcare, Education, Finance, Real Estate, Law Firms
Keypoints :
- The FunkSec ransomware group employs advanced evasion techniques.
- It hides in the Windows Recycle Bin to avoid detection.
- The group disables Windows Defender and bypasses execution policies using PowerShell.
- Malware is connected to phishing campaigns with fake login portals.
- Files encrypted by the ransomware receive a .funksec extension.
- Notable ransomware victims include various sectors such as Manufacturing and Retail.
MITRE Techniques :
- Initial Access (T1566.001) – Phishing with malicious attachments that are disguised as legitimate files.
- Initial Access (T1189) – Malicious downloads through fake software installers and phishing links.
- Execution (T1059.001) – Execution via PowerShell to manipulate system settings and run payloads.
- Execution (T1548.002) – PowerShell execution policy bypass to permit unrestricted script execution.
- Persistence & Evasion (T1564.001) – Hiding in Recycle Bin by creating hidden files.
- Persistence & Evasion (T1562.001) – Disabling Windows Defender using PowerShell.
Indicator of Compromise :
- [MD5] e099255ea4aa8eb41e26e5d94737fc26
- [SHA1] 2c13d842e788e6c981b2fae65834b1220d55f5a8
- [SHA256] 89b9f7499d59d0d308f5ad02cd6fddd55b368190c37f6c5413c4cfcd343eeff3
- [Malicious Filename] setup-avast-premium-x64.exe
- [IP] 199.232.192.193
Full Story: https://redpiranha.net/news/threat-intelligence-report-february-11-february-17-2025