December 2024’s Most Wanted Malware: FunkSec Rises as a Controversial AI-Powered Ransomware Threat

Africa in the cross hairs of global malware actors with eight countries ranking in the top 20 most attacked from AI-powered ransomware groups as well as ongoing threats from FakeUpdates and AgentTesla

Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a pioneer and global leader of cyber security solutions, has released its Global Threat Index for December 2024, emphasising the growing sophistication of cybercriminals. 

For Africa, December was hardly a season to be jolly with eight of the continent’s countries listed among the top 20 most attacked.  Ethiopia retained its top spot as the most attacked country with a 98.2% Normalised Risk Index out of the 106 countries featured in the Index.  Other African countries featured in the top 20 are:

Threat Index Per African Country

• Uganda at 8th place with a Normalised Risk Index of 68,2. 
• Angola at  9th place with a Normalised Risk Index of 66,2.
• Ghana at 11th position with a Normalised Risk Index of 62,7.
• Nigeria at 13th position with a Normalised Risk Index of 62,3, not too far from Ghana.
• Kenya’s Normalised Risk Index has increased since last month, moving from position 20 to 17 with a Normalised Risk Index of 57,6. 
• Mozambique comes in at position 18 with a Normalised Risk Index of 56,9.
• In 20th position with a higher Normalised Risk Index than last month is Cote d’Ivoire with 55,6.

In December, the malware focus was on the rise of FunkSec, an emerging ransomware-as-a-service (RaaS) operator leveraging artificial intelligence, alongside persistent threats from malware families like FakeUpdates and AgentTesla. Data from ransomware “shame sites” reveals FunkSec as the most active group in December, responsible for 14% of all published attacks.

FunkSec’s operations have thrust it to the forefront of double-extortion ransomware groups. Publishing over 85 victims in December 2024 alone, FunkSec has surpassed its competitors in volume. However, Check Point Research (CPR) has flagged many of these claims as recycled or unverified, raising doubts about the group’s credibility. Linked to Algeria, FunkSec appears driven by financial gain and hacktivist ideologies, with its AI-assisted tactics pointing to the increasing use of advanced technologies in cybercrime.

Among the most prevalent malware threats, FakeUpdates reclaimed the top spot globally, affecting 5% of organisations worldwide, followed closely by AgentTesla (3%) and Androxgh0st (3%). FakeUpdates, also known as SocGholish, remains a versatile downloader that introduces additional malicious payloads, while AgentTesla continues to target sensitive credentials.

Maya Horowitz, VP of Research at Check Point Software, commented on the findings: “The latest trends in cybercrime underscore the importance of vigilance and innovation in cybersecurity. Organisations must leverage advanced threat prevention measures to protect themselves against the evolving landscape of sophisticated attacks.”

Top Malware Families

The arrows indicate changes in rank compared to the previous month.

1. ? FakeUpdates – A JavaScript-based downloader impacting 5% of organizations globally. It introduces additional malware, enabling further compromise.
2. ? AgentTesla – A sophisticated RAT functioning as a keylogger and information stealer, impacting 3% of organizations.
3. ? Androxgh0st – A cross-platform botnet exploiting vulnerabilities in IoT devices and web servers, with a 3% global impact.

Top Mobile Malware

1. ? Anubis – A banking Trojan with ransomware functionality targeting Android devices.
2. ? Necro – A Trojan dropper installing malware and charging premium subscriptions.
3. ? Hydra – A banking Trojan stealing credentials by exploiting dangerous permissions on Android devices.

Top Ransomware Groups

The rise of ransomware groups continues to dominate the cybersecurity landscape. Notable player groups include: 

1. FunkSec – Leveraging AI and double-extortion tactics, FunkSec surpassed other groups with a controversial 85 victim postings.
2. RansomHub – Known for its aggressive campaigns, RansomHub focuses on systems such as VMware ESXi and employs sophisticated encryption methods.
3. LeakeData – A new actor operating a clear web data leak site (DLS), LeakeData combines ransomware incidents with broader extortion activities.

For the full December 2024 Global Threat Index and additional insights, visit the Check Point Blog.?