Avast cybersecurity researchers, in cooperation with global law enforcement agencies, have announced the public release of a free FunkSec ransomware decryptor, marking a significant win in the ongoing battle against cybercrime.
The tool comes after months of investigations and technical analysis, following FunkSec’s rapid rise and eventual inactivity.
Clever Encryption Meets AI-Assisted Crime
First surfacing in early December 2024, FunkSec began its attacks with data theft and extortion, only later shifting to full-scale file encryption.
According to data from ransomware leak sites, at least 113 organizations fell victim between December 2024 and March 2025.
Security researchers were quick to note FunkSec’s unusual structure: not only did its code rely on the Rust programming language for stealth and efficiency, but parts of its criminal toolkit, such as phishing templates and hacking utilities, were crafted with the help of artificial intelligence, accounting for about 20% of operational tasks.
Technically, FunkSec deployed the Orion-rs cryptography library (version 0.17.7) and used the robust ChaCha20 cipher coupled with Poly1305 MAC for data integrity.
Encrypted files received the “.funksec” extension, and each infected directory contained a ransom note README file sporting a random name.
A unique element of FunkSec’s approach was block-wise file encryption: data was split into 128-byte chunks, each appended with 48 bytes of metadata, making encrypted files roughly 37% larger than their originals.
This aggressive encryption strategy rendered most user files inaccessible while sparing a long list of file types, including documents, media, and specific backup formats, likely to hinder system and app recovery efforts.
Before launching encryption, FunkSec disabled dozens of processes and Windows services, including browsers, security tools, and productivity applications, to maximize its reach and avoid detection.
Decryptor Brings Hope to Victims
With FunkSec’s infrastructure dismantled and operations halted, Avast’s release of a 64-bit and 32-bit decryptor offers a ray of hope to affected users.
The decryptor operates as a guided wizard, allowing users to select specific drives or folders for recovery and recommending encrypted file backups for extra safety.
The tool incorporates in-depth knowledge of FunkSec’s cryptographic details, restoring files while ensuring each block’s metadata matches the original structure. Avast recommends running the decryptor as an administrator for best results.
For inquiries and support, Avast has set up a dedicated channel at decryptors@avast.com.
Looking Forward
The release of the FunkSec decryptor highlights both the evolving sophistication of ransomware, now increasingly AI-augmented, and the importance of international cooperation in cyber defense.
While the malware itself has faded, the lessons learned will no doubt inform law enforcement and cybersecurity strategies in a new era of AI-powered threats.
IOCs
Ransomware sample
c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c
Initial source code
7e223a685d5324491bcacf3127869f9f3ec5d5100c5e7cb5af45a227e6ab4603
