Breach Monitoring News Feed

Funksec, a double extortion ransomware group, emerged in late 2024 and quickly gained notoriety by breaching databases and selling access to 15 government websites within just a month. Claiming to be entirely self-taught and operating without collaboration from other groups, Funksec is a four-member team driven primarily by financial motives. The group leverages AI for specific tasks, such as creating tools and phishing templates, though they emphasize that AI contributes to only about 20% of their operations. Notably, they have developed their own proprietary AI tool, WormGPT, a desktop application built entirely in-house. To enhance their phishing campaigns, Funksec uses premium services like PhishingBox to create customized phishing templates, adding another layer of precision and sophistication to their methods. After the interview, during some casual chit-chat, it came to light that the owner of Funksec was also behind an underground forum called DarkZone, which had been built in collaboration with GhostSec in the past. https://osint10x.com/threat-actor-interview-spotlighting-on-funksec-ransomware-group/

GandCrab was a prolific Ransomware-as-a-Service (RaaS) operation active from January 2018 to mid-2019. It quickly became one of the most widespread ransomware families due to its affiliate-based distribution model, where operators provided the ransomware to partners in exchange for a revenue share (reportedly 30–40%). GandCrab used a double-extortion approach in later stages, encrypting files with a combination of Salsa20 and RSA-2048 algorithms and appending extensions that varied by version (e.g., .GDCB, .KRAB, .CRAB). Initial access vectors included phishing emails with malicious attachments, exploit kits (notably RIG and GrandSoft), and remote desktop protocol (RDP) attacks. GandCrab’s operators claimed to have earned over $150 million before publicly announcing their retirement in June 2019, after which decryption keys for all versions were released.

Our team members are from different countries and we are not interested in anything else, we are only interested in dollars. We do not allow CIS, Cuba, North Korea and China to be targeted. Re-attacks are not allowed for target companies that have already made payments. We do not allow non-profit hospitals and some non-profit organizations be targeted.

Financial interests only. We do not provide or work with affiliate programs, no collaborations either. The requested payment must be made within a specified time frame, otherwise the price may be increased, we will begin to publish the data we have about your company and notify the company's customers and suppliers. Charitable, non-profit, and medical institutions are only hacked if they have reputation gaps known from open sources or discovered in company data. However, this is only data extraction; live support systems are not affected. Data is always destroyed after payment; we do not attack the same company twice. Interesting fact: once, the total amount of claims against a breached company exceeded its entire capitalization. We know how to create trouble, though it is in our mutual interest to avoid it. To make the data leak more valuable, the most important information is published in a separate folder for each company called “parsed” and is also published on darkweb forums.

aka Cring / Ghost (Cring) Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses. Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a

Now a RaaS by BlackLock ($$$). Global Group is a newly emerged Ransomware-as-a-Service (RaaS) platform that debuted in June 2025 on the Ramp4u cybercrime forum. Marketed as a successor to the Mamona and BlackLock ransomware families, it leverages a Golang-based, cross-platform payload that supports execution on Windows, macOS, and Linux. This group stands out by incorporating AI-driven chatbots to manage victim negotiations, promoting scalability and efficiency—even for affiliates lacking language skills. Within its first weeks of operation, Global Group claimed numerous victims across industries such as healthcare, automotive services, and facilities management, located in the U.S., U.K., Australia, and Brazil.

Globe is a ransomware family that first appeared in August 2016, notable for its highly customizable codebase that allows operators to configure ransom note text, encryption algorithms, and file extensions. Globe uses symmetric encryption (RC4 or AES) to lock files and typically appends custom extensions such as .GLOBE, .PURPLE, .HNY, or others set by the attacker. The malware is distributed through malicious spam emails with infected attachments, compromised websites, and exploit kits. Globe’s flexibility made it attractive to low-skilled actors, resulting in many different variants in the wild. The family has primarily targeted small to medium-sized businesses and individual users across multiple regions, with no clear geographic focus.

GlobeImposter is a ransomware family that first appeared in mid-2017, designed to mimic the appearance and naming conventions of the earlier Globe ransomware but built on entirely different code. It uses strong encryption algorithms, typically AES combined with RSA, and appends a variety of file extensions to encrypted data—such as .crypt, .doc, .png, .jpg, .spreadsheet, and many more—depending on the campaign. GlobeImposter is primarily distributed via malicious spam campaigns with infected attachments, compromised RDP services, and exploit kits. It drops a ransom note (often named how_to_back_files.html or similar) instructing victims to contact the attackers via email. Over the years, GlobeImposter has spawned hundreds of variants, making it one of the more persistent commodity ransomware threats targeting small businesses and individuals globally.