FunkSec Ransomware Decryptor Released Free: Victims Can Now Recover Files After Group Goes Dormant
Do Son 
Image: Gen Digital
The cybersecurity firm Gen Digital—formerly known as Symantec and Norton—has recently submitted the decryption key and tool for the FunkSec ransomware to an industry consortium. This development enables victims of the malware to freely decrypt all files encrypted by FunkSec, provided the data has not already been deleted.
The release of this decryption utility follows observations suggesting that the FunkSec ransomware may no longer be active. Since March 18, 2025, no new victims have been added to the ransomware’s data leak site, indicating that the group behind it may have disbanded.
Typically, decryption tools are withheld to prevent ransomware operators from adapting—revoking old keys or enhancing encryption to resist reverse engineering. By keeping such tools confidential, security companies can quietly assist victims without alerting attackers, allowing continued decryption without requiring researchers to reanalyze the encryption mechanisms from scratch—a laborious and often infeasible task, as brute-forcing modern ransomware-encrypted files is virtually impossible.
FunkSec ransomware was written in the Rust programming language, favored in the cybercriminal world for its memory safety and high performance. Notably, other prominent ransomware families such as BlackCat and Agenda also leverage Rust for their operations.
The malware employs the orion-rs v0.17.7 cryptographic library and utilizes the ChaCha20 and Poly1305 algorithms during the encryption process. While Gen Digital has not disclosed the exact method used to create the decryption tool, such tools are generally based on the discovery of implementation flaws—rather than a direct break of the underlying cryptographic algorithms, which remain mathematically sound and resistant to brute-force attacks.
Victims can now obtain the decryption utility via the European initiative No More Ransom. Files encrypted by FunkSec bear the .funksec extension. Prior to using the tool, users must confirm that the encrypted files match FunkSec’s digital signature.
It is strongly recommended that experienced users or IT administrators back up any encrypted data before attempting decryption, as unforeseen issues during the process could potentially corrupt the existing files. The decryption tool can be downloaded here.
Related Posts:
- FunkSec: The Rising Ransomware Group Blurring the Lines Between Cybercrime and Hacktivism
- Bitdefender released GandCrab Ransomware decryption tool
- Mallox Ransomware Goes Cross-Platform: New Linux Variant Discovered, Decryptor Released
- Interpol Recovers $41 Million Stolen in Singapore BEC Scam
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
