The Funksec ransomware group – known for deploying what some insiders say is the first GenAI-created ransomware strain – has claimed the historic Sorbonne University in Paris.
The group posted the prestigious university on its dark leak site sometime on Friday, claiming to have exfiltrated 20GB of files from its servers.
Although the Funksec has not listed a sale price for the university’s “stolen” data, the group has given school officials roughly 12 days to pay an undisclosed ransom demand.
“20GB of data plans and reports and crenditals [sic] etc, you know what is crazy thing , search about your name on victim device,” the group posted in broken English.
Established in 1257 and dating back to the Middle Ages, the publicly funded Sorbonne University lists a population of 55,000 students, 7,300 academic and partner researchers, and 3,900 administrative and technical staff.
Funksec has not listed the type of data it has allegedly taken from the University. Cybernews has reached out to Sorbonne and is wating for a response.
The group’s post is accompanied by a screenshot of what appears to be Funksec remotely using one of the school’s computer devices to search for their own name on a Mozilla search browser.
The only other proof sample provided by the gang looks to be some sort of geometric schematic “file example.” The session window appears to also contain a Web client address labeled Citrix, which makes one wonder if they exploited the unpatched infamous Citrix bug to gain access to the University’s systems.
Its also not the first time Sorbonne University has been the victim of major hacking incident. In October 2024, a hacker was able to extract the “non-confidential data” of 73,000 students and staff from the university’s public directory, posting the information on a criminal forum.
Who is Funksec?
The fledgling ransomware group, which has only been publicly on the ransomware scene since November 2024, appears to be stepping up the number of attacks since its inception, according to a Bitdefender threat profile on the group from earlier this week.
What makes this ransomware-as-a-service (RaaS) gang so unique is its use of Generative AI to create its ransomware variants, the first known ransomware cartel to do so.
"FunkSec uses GenAI to create their ransomware code; the primary purpose of the ransomware is to perform encryption. It also modifies system settings and conducts system reconnaissance and defense evasion activities," Bitdefender said.
Known to target mostly victims in the government and defense, technology, finance, and education sectors notably in the US, India, Spain, and Mongolia, security researchers say the group's use of AI-developed ransomware leads to the belief that it is comprised of mostly inexperienced hackers.
In the last 12 months, the group was charted by Cybernews for claiming roughly 160 victims.
Furthermore, malicious software that leverages AI technology in some way during its development or functionality, does not necessarily mean the malware must be entirely developed using AI.
The group is listed as one of the top five active ransomware groups in the last four weeks (tied with KillSec), carrying out 31 reported ransomware attacks, or 18.79 percent of all attacks, according to the most recent numbers compiled by the Cybernews Ransomlooker tool.
Cybernews also noted when visiting Funksec's dark leak page that the group has been quite busy establishing an entire Funksec eco-system for its affiliates and other like-minded cybercriminals. The site now boasts its own FunkBid auction site, a marketplace and discussion forum similar to BreachForums complete with badges to rate members, support and private messaging sections, and even its own premium VIP section for "distinguished members."
"We are work to make this marketplace auctions the best in Tor network , safe from exit scam etc , you will find everything here , databases , access , malwares , companys data for sell in auctions , this website managed by funksec ransomware group , you will find our websites in bottom page social media , enjoy with us," the group states on the recently revamped leak site.
Your email address will not be published. Required fields are markedmarked