Latest news with #StateofRansomware


Biz Bahrain
6 days ago
- Business
- Biz Bahrain
Inside FunkSec: Kaspersky explores the evolution of AI-powered ransomware with password-gated capabilities
Kaspersky experts revealed the inner workings of FunkSec — a ransomware group that illustrates the future of mass cybercrime: AI-powered, multifunctional, highly adaptive and operating on volume with ransoms as low as $10,000 to maximize profits. Kaspersky's Global Research and Analysis Team (GReAT) constantly monitors the ransomware threat landscape, where attacks continue to rise. According to the company's latest State of Ransomware report, the share of users affected by ransomware attacks worldwide increased to 0.44% from 2023 to 2024, up by 0.02 percentage points. While this percentage may appear modest compared to other cyber threats, it reflects the fact that attackers typically prioritize high-value targets rather than mass distribution, making each incident potentially devastating. Within this evolving landscape, FunkSec has emerged as a particularly concerning threat. Active for less than a year since its emergence in late 2024, FunkSec has quickly surpassed many established actors by targeting government, technology, finance and education sectors. What sets FunkSec apart is its sophisticated technical architecture and AI-assisted development. The group packages full-scale encryption and aggressive data exfiltration into a single Rust-based executable, capable of disabling over 50 processes on victim machines and equipped with self-cleanup features to evade defenses. Beyond its core ransomware functionality, FunkSec has expanded its toolkit to include a password generator and a basic DDoS tool — both showing clear signs of code synthesis using large language models (LLMs). FunkSec's approach reflects the evolving landscape of mass cybercrime, combining advanced tools and tactics. Kaspersky's GReAT experts highlight the key features that define their operations: Password-Controlled Functionality GReAT experts discovered that FunkSec ransomware features a unique password-based mechanism that controls its operation modes. Without a password, the malware performs basic file encryption, while providing a password activates a more aggressive data exfiltration process in addition to encryption to steal sensitive data. FunkSec packs full-scale encryption, local exfiltration and self-cleanup into a single Rust binary—without a side-loader or a companion script. That level of consolidation is uncommon and gives affiliates a plug-and-play tool they can deploy almost anywhere. Use of AI in development Code analysis shows that FunkSec is actively using generative artificial intelligence to create its tools. Many parts of the code seem to be automatically generated rather than manually written. Signs of this generic placeholder comments (such as 'placeholder for actual check') and technical inconsistencies, like commands for different operating systems that don't align properly. Additionally, the presence of declared but unused functions—such as modules included upfront but never utilized — reflects how large language models combine multiple code snippets without pruning redundant elements. 'More and more, we see cybercriminals leveraging AI to develop malicious tools. Generative AI lowers barriers and accelerates malware creation, enabling cybercriminals to adapt their tactics faster. By reducing the entry threshold, AI allows even less experienced attackers to quickly develop sophisticated malware at scale,' comments Marc Rivero, Lead Security Researcher at Kaspersky's GReAT. High-volume, low-ransom strategy FunkSec demands unusually low ransom payments, sometimes as little as $10,000, and pairs this with the sale of stolen data at discounted prices to third parties. This strategy appears designed to enable a high volume of attacks, helping the group quickly establish its reputation within the cybercriminal underground. Unlike traditional ransomware groups that seek million-dollar ransoms, FunkSec employs a high-frequency, low-cost model — further underscoring its use of AI to streamline and scale operations. Expands beyond ransomware FunkSec has expanded its capabilities beyond the ransomware binary. Its dark leak site (DLS) hosts additional tools, including a Python-based password generator designed to support brute-force and password-spraying attacks, as well as a basic DDoS tool. Advanced evasion FunkSec employs advanced evasion techniques to avoid detection and complicate forensic analysis. The ransomware is capable of stopping over 50 processes and services to ensure thorough encryption of targeted files. Additionally, it includes a fallback mechanism to execute certain commands even if the user launching FunkSec lacks sufficient privileges. Kaspersky's products detect this threat as HEUR: To stay protected from ransomware attacks, Kaspersky experts recommend organizations follow these best practices to safeguard from ransomware: • Enable ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions. • Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network. • Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals' connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency. • Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework. • Use the latest Threat Intelligence information to stay aware of the actual Tactics, Techniques, and Procedures (TTPs) used by threat actors. • To protect the company against a wide range of threats, use solutions from Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organizations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing.


Channel Post MEA
26-06-2025
- Business
- Channel Post MEA
Half Of UAE Companies Paying Ransom After Ransomware
Sophos has released its sixth annual State of Ransomware report , a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries that studies the impact of ransomware attacks on businesses. This year's survey found that nearly 50% of companies globally paid the ransom to get their data back – the second highest rate of ransom payment for ransom demands in six years. While 43% of organizations in the UAE that had data encrypted paid the ransom, 30% of them paid less than the original demand. Globally, in 71% of cases where the companies paid less, they did so through negotiation – either through their own negotiations or with help from a third party. In fact, while the median global ransom demand dropped by a third between 2024 and 2025, the median global ransom payment dropped by 50%, illustrating how companies are becoming more successful at minimizing the impact of ransomware. Overall, the median ransom payment in the UAE was 1.33 million dollars, although the initial demand varied significantly depending on organization size and revenue. Across the globe, the median ransom demand for companies with over $1 billion in revenue was five million dollars, while organizations with $250 million revenue or less, saw median ransom demands of less than $350,000. Exploited vulnerabilities were the number one technical root cause of attacks in the UAE, while 49% of ransomware victims said adversaries took advantage of a security gap that they were not aware of – highlighting organizations' ongoing struggle to see and secure their attack surface. Overall, 54% of UAE organizations said resourcing issues were a factor in them falling victim to the attack, with one third citing a lack of expertise and 30% reporting a shortage of expertise. Additionally, the report reveals that the impact of ransomware attacks on data in the UAE remains significant. In 55% of the attacks, data was successfully encrypted, surpassing the global average (50%). In 43% of those cases, data was also stolen, much higher than the 28% global rate. Despite this, 98% of affected organizations recovered their data, with 68% using backups and 43% opting to pay the ransom, highlighting both strong recovery strategies and ongoing challenges. 'For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,' says Chester Wisniewski, director, field CISO, Sophos. 'Of course, ransomware can still be 'cured' by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We're seeing more companies recognize they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.' Additional Key UAE Findings from the State of Ransomware 2025 Report: Exploited vulnerabilities were the most common technical root cause of attack, used in 42% of attacks. They are followed by malicious emails, which were the start of 23% of attacks. Compromised credentials were used in 18% of attacks Business impact of ransomware Excluding any ransom payments, the average (mean) bill incurred by organizations in the UAE to recover from a ransomware attack in the last year came in at $1.41 million, below the $1.53 million global average. This includes costs of downtime, people time, device cost, network cost, lost opportunity, etc. Organizations in the UAE recovered swiftly from ransomware attacks, with 63% fully recovered up to a week, notably above the 53% global average. 15% took between one and six months to recover, below the 18% global average. Human impact of ransomware on IT/cybersecurity teams In organizations where data was encrypted: 40% reported increased pressure from senior leaders. 37% say the team's workload has increased since the attack. 42% report increased anxiety or stress about future attacks. 18% have experienced team member absence due to stress/mental health issues. Ransomware remains a major threat to organizations in the UAE. As adversaries continue to iterate and evolve their attacks, it's essential that defenders and their cyber defenses keep pace. Sophos recommends the following best practices to help organizations defend against ransomware and other cyberattacks: Take steps to eliminate common technical and operational root causes of attacks, such as exploited vulnerabilities. Tools like Sophos Managed Risk can help companies access their risk profile and minimize their exposure. can help companies access their risk profile and minimize their exposure. Ensure all endpoints (including servers) are well-defended with dedicated anti-ransomware protection. Have an incident response plan in place and tested for when things go wrong. Have good backups and practice restoring data regularly. plan in place and tested for when things go wrong. Have good backups and practice restoring data regularly. Companies need around-the-clock monitoring and detection. If they do not have the resources in-house for this, they can work with a trusted managed detection and response (MDR) provider . Data for the State of Ransomware 2025 report comes from a vendor-agnostic survey of 3,400 IT and cybersecurity leaders in organizations that were hit by ransomware in the previous year. Organizations surveyed ranged from 100 – 5,000 employees and across 17 countries.