AI is powering a new wave of ransomware. Learn how Avast stopped FunkSec's attack and how you can protect your files from evolving cyber threats.
Ransomware has long been one of the most feared cyber threats on the internet, and for good reason. It’s fast, disruptive, and increasingly effective at locking up your most important files and demanding payment in exchange for their return. It’s not just businesses that get hit, either. Everyday people have lost family photos, tax records, financial files and entire digital histories to these attacks.
But now, a new and unsettling twist is emerging: ransomware powered by artificial intelligence.
In a recent case discussed by Avast researchers in the latest Gen Threat Report, a ransomware gang known as FunkSec admitted to using AI to streamline parts of their criminal operation. While the ransomware itself wasn’t fully built by AI, the attackers used generative tools to assist with tasks like coding, phishing templates, and internal tooling. It’s one of the first known cases of AI playing a direct role in ransomware development – and likely not the last.
While AI helped FunkSec move faster, their malware wasn’t perfect. In fact, a small flaw in their encryption logic became their undoing.
Behind the scenes, Avast’s security experts quietly discovered the flaw – a cryptographic weakness that made it possible to decrypt the locked files without paying the ransom. Working in close coordination with international law enforcement, the team developed a custom decryption tool and discreetly helped dozens of victims recover their data. Now that the FunkSec gang has gone quiet, that tool is being made available to the public for free.
This marks the latest in a long line of free ransomware decryptors Avast has released – more than 40 over the past decade under the Avast and AVG brands. It’s a reminder that while ransomware continues to evolve, so does our ability to fight back.
How ransomware reaches you: common infection methods
Most ransomware doesn’t just appear out of nowhere – it needs a way into your system. Here are some of the most common ways it spreads to everyday consumers:
- Phishing emails : This is the #1 method. You might receive an email that looks like it’s from a trusted source – your bank, a delivery service, or even a friend – but it includes a malicious attachment or link. Clicking it can trigger a silent ransomware download.
- Malicious attachments or fake documents : Often disguised as invoices, resumes, or shipping confirmations, these files may ask you to enable macros – a built-in Microsoft Office feature that can execute code. If you say yes, the ransomware installs.
- Compromised websites or ads (malvertising) : Just visiting a hacked website or clicking a malicious ad can trigger a ransomware infection if your browser or plugins are out of date.
- Software cracks and pirated downloads : Free versions of expensive software found on shady websites often come bundled with more than you bargained for – including ransomware.
- USB drives and external media : Plugging in an infected USB stick (even one you found or were given) can launch ransomware if autorun features are enabled.
- Access brokers : This happens more in a corporate environment. An access broker is a cyber-criminal who discovers a vulnerability in a company network but doesn’t abuse it directly. Instead, the access is sold to another cyber-criminal who uses the knowledge to gain access to the company network and deploys malicious software.
How to spot the signs of ransomware
Ransomware often strikes without warning, but there are red flags that can tip you off early – or help you respond quickly if you’ve been infected:
- Files won’t open or have strange extensions like .locked, .funksec, or .crypt.
- Your computer suddenly slows down, especially when trying to access documents or programs.
- Unfamiliar programs or processes appear, particularly at startup.
- You see odd pop-ups or fake system alerts, often trying to get you to enable macros or grant permissions.
- A ransom note appears, often titled README.txt, HOW_TO_DECRYPT.html, or similar.
- You’re locked out of your files or system, with a message demanding payment in cryptocurrency.
How to stay protected
While no defense is 100% foolproof, there are several ways to reduce your risk of falling victim to ransomware:
- Back up your files regularly. Use a secure cloud service or an offline storage device.
- Install reputable security software. Avast offers dedicated ransomware protection that blocks threats in real time.
- Think before you click. Avoid downloading attachments or clicking links from unknown or suspicious emails.
- Keep your software up to date. Ransomware often exploits vulnerabilities in outdated systems.
- Don’t enable macros from unknown sources. Many ransomware strains rely on users turning this feature on.
A new chapter in the ransomware fight
AI is already changing the cybersecurity landscape. It’s making attacks faster to build and easier to launch – even for criminals with limited technical skills. But that same technology, combined with the expertise of global threat researchers, is also being used to create smarter, faster defenses.
At Avast, we believe no one should have to pay to get their digital life back. That’s why we continue to invest in free tools and public resources to help ransomware victims recover safely – and why we’ll keep innovating as the threat evolves.
Ransomware may be getting smarter. But so are we.