Detecting and responding to Funklocker ransomware with Wazuh

Funklocker ransomware is a recently observed threat attributed to the FunkSec group, primarily targeting Windows environments. It is known for using AI-assisted code generation to produce new variants, which makes traditional signature-based defenses less effective.

Funklocker ransomware uses living-off-the-land (LOTL) techniques by blending malicious activity with legitimate system functions to evade detection. This includes running PowerShell, taskkill, and sc commands to disable security tools, stop services, and remove recovery options. 

In this post, we demonstrate how Wazuh detects and responds to Funklocker ransomware activity on Windows endpoints using its ruleset engine, File integrity monitoring, and Active response capabilities. 

Funklocker ransomware behavior

The Funklocker ransomware executes a series of malicious actions designed to maximize disruption and hinder recovery of infected Windows endpoints. Some of these behaviors include:

• Disables the Windows Security event log:

"powershell" -Command "wevtutil sl Security /e:false"

• Disables Windows Defender Real-time Protection:

"powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

• Disables the Windows Application event log:

"powershell" -Command "wevtutil sl Application /e:false"

• Bypasses PowerShell’s execution policy to run unrestricted scripts:

"powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"

• Terminates multiple processes using taskkill.
• Stops multiple services with sc.
• Deletes all Volume Shadow Copy Service (VSS) snapshots:

"vssadmin" "delete shadows" /all /quiet

• Encrypts files on the compromised endpoint and appends the extension .funksec to all encrypted files.

Analyzed samples

Hash (SHA256)

c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c

00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c

Infrastructure

We use the following infrastructure to demonstrate how to detect and respond to Funklocker ransomware with Wazuh:

• A pre-built, ready-to-use Wazuh OVA 4.14.1, which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
• A Windows 11 endpoint with the Wazuh agent 4.14.1 installed and enrolled in the Wazuh server. This endpoint is monitored for ransomware activity.

Detection with Wazuh

Configuration

We use Sysmon to monitor several system events and create custom detection rules on the Wazuh server to detect the malicious behavior of Funklocker ransomware.

Windows endpoint

Perform the following steps to configure the Wazuh agent to capture logs with Sysmon and send them to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.
2. Extract the compressed Sysmon file to your preferred directory. 
3. Download the Sysmon configuration file, sysmonconfig.xml using PowerShell as an administrator. Replace <SYSMON_EXECUTABLE_PATH> with the directory path to your Sysmon executable.

> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

4. Switch to the folder with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:

> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

5. Add the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf file within the <ossec_config> block to capture and forward Sysmon event logs to the Wazuh server:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

6. Restart the Wazuh agent to apply the configuration changes:

> Restart-Service -Name wazuh

Wazuh dashboard

Create custom rules to detect Funklocker ransomware activities on the monitored Windows endpoint. Perform the steps below to add rules to the Wazuh server for analysis.

1. Navigate to Server management > Rules.
2. Click + Add new rules file.
3. Copy and paste the rules below and name the file funklocker_rules.xml, then click Save.

<group name="funklocker,ransomware,malware,">
  <!-- Windows Defender Real-time Protection disabled-->
  <rule id="101001" level="12">
    <if_sid>61603</if_sid>
   <field name="win.eventdata.parentImage" type="pcre2">\.exe|\.bin|\.ps1|\.vbs|\.dll|\.js</field>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)Set-MpPreference\s+-DisableRealtimeMonitoring</field>
    <description>Possible malware infection: Windows Defender disabled via PowerShell.</description>
    <mitre>
      <id>T1562.001</id>
    </mitre>
  </rule>

 <!-- Windows Security event log disabled-->
  <rule id="101002" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.parentImage" type="pcre2">\.exe|\.bin|\.ps1|\.vbs|\.dll|\.js</field>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)wevtutil\s+sl\s+Security</field>
    <description>Possible malware infection: Windows Security event log disabled.</description>
    <mitre>
      <id>T1070.001</id>
      <id>T1059.001</id>
    </mitre>
  </rule>

  <!-- Windows Application event log disabled -->
  <rule id="101003" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.parentImage" type="pcre2">\.exe|\.bin|\.ps1|\.vbs|\.dll|\.js</field>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)wevtutil\s+sl\s+Application</field>
    <description>Possible malware infection: Windows Application event log disabled.</description>
    <mitre>
      <id>T1070.001</id>
    </mitre>
  </rule>

  <!-- PowerShell execution policy bypass -->
  <rule id="101004" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.parentImage" type="pcre2">\.exe|\.bin|\.ps1|\.vbs|\.dll|\.js</field>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)Set-ExecutionPolicy</field>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)Bypass</field>
    <description>Possible malware infection: PowerShell execution policy set to bypass.</description>
    <mitre>
      <id>T1059.001</id>
    </mitre>
  </rule>

  <!-- Detect process termination by taskkill -->
  <rule id="102005" level="2">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.parentImage" type="pcre2">\.exe|\.bin|\.ps1|\.vbs|\.dll|\.js</field>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)taskkill</field>
    <field name="win.eventdata.commandLine" type="pcre2">\/F\s+\/IM</field>
    <description>Process terminated using taskkill. Command: $(win.eventdata.CommandLine). Suspicious activity.</description>
    <mitre>
      <id>T1489</id>
    </mitre>
  </rule>
  
  <!-- Detect multiple process termination by taskkill -->
  <rule id="101005" level="15" frequency="10" timeframe="300">
    <if_matched_sid>102005</if_matched_sid>
    <description>Possible Funklocker ransomware activity: Multiple processes terminated with taskkill.</description>
    <mitre>
      <id>T1489</id>
    </mitre>
  </rule>

  <!-- Detect stopping of Windows services using sc.exe -->
  <rule id="102006" level="2">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.parentImage" type="pcre2">\.exe|\.bin|\.ps1|\.vbs|\.dll|\.js</field>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)sc</field>
    <field name="win.eventdata.commandLine" type="pcre2">stop</field>
    <description>Service stopped with sc.exe. Command: $(win.eventdata.CommandLine). Suspicious activity.</description>
    <mitre>
      <id>T1489</id>
      <id>T1543.003</id>
    </mitre>
  </rule>
  
  <!-- Detect multiple process termination by taskkill -->
  <rule id="101006" level="15" frequency="10" timeframe="300">
    <if_matched_sid>102006</if_matched_sid>
    <description>Possible Funklocker ransomware activity: Multiple processes terminated with sc utility.</description>
    <mitre>
      <id>T1489</id>
    </mitre>
  </rule>

  <!-- Detect VSS deletion (removal of shadow copies) -->
  <rule id="101007" level="15">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.parentImage" type="pcre2">\.exe|\.bin|\.ps1|\.vbs|\.dll|\.js</field>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)vssadmin</field>
    <field name="win.eventdata.commandLine" type="pcre2">delete\s+shadows</field>
    <description>Volume Shadow Copy Service backups deleted. Possible Funklocker ransomware activity.</description>
    <mitre>
      <id>T1490</id>
    </mitre>
  </rule>
  
  <!-- Detect creation of encrypted files with .funksec extension -->
  <rule id="101008" level="15">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.Image" type="pcre2">\.exe|\.bin|\.ps1|\.vbs|\.dll|\.js</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)\.funksec$</field>
    <description>Possible Funklocker ransomware: Encrypted file detected with .funksec extension - $(win.eventdata.targetFilename).</description>
    <mitre>
      <id>T1486</id>
    </mitre>
  </rule>
</group>

Where:

• Rule ID 101001 is triggered when an executable uses PowerShell to disable Windows Defender Real-time protection.
• Rule ID 101002 is triggered when an executable uses PowerShell to disable the Windows Security event log.
• Rule ID 101003 is triggered when an executable uses PowerShell to disable the Windows Application event log.
• Rule ID 101004 is triggered when an executable uses PowerShell to set the execution policy to Bypass.
• Rule ID 102005 is triggered when an executable terminates a process using the taskkill command.
• Rule ID 101005 is triggered when an executable terminates multiple processes with taskkill within a 5-minute timeframe.
• Rule ID 102006 is triggered when an executable stops a Windows service using the sc utility.
• Rule ID 101006 is triggered when an executable stops multiple Windows services using the sc utility within a 5-minute timeframe.
• Rule ID 101007 is triggered when an executable deletes Volume Shadow Copy Service (VSS) backups using vssadmin.
• Rule ID 101008 is triggered when an executable creates files with the .funksec extension.

4. Click Reload when prompted to apply the changes.

Detection results

The following alerts are generated on the Wazuh dashboard when Funklocker ransomware executes on a Windows endpoint. Perform the following steps to view the alerts on the Wazuh dashboard.

1. Navigate to Agents management > Summary and select the monitored Windows agent.
2. Click on Threat Hunting and select the Events tab.
3. Click + Add filter. Then filter for rule.groups in the Field field. Select is in the Operator field. 
4. Add the filter funklocker in the Values field.
5. Click Save.

Removing malicious files with YARA integration

An effective endpoint defense requires early identification and elimination of malicious files before they can cause harm. The Wazuh File Integrity Monitoring (FIM) capability continuously monitors specified directories or files to detect additions, modifications, or deletions and alerts in real-time. By combining Wazuh with detection tools such as YARA, organizations can accelerate the detection and remediation of threats.​

This section outlines how to configure the Wazuh FIM module to monitor a target directory and notifies when files are created or altered. Upon such an event, the Wazuh Active Response module automatically invokes YARA to examine the file for signatures of known malware. If a match is found based on existing YARA rules, the identified file is deleted, thereby reducing the risk before malicious code can execute.​

Windows endpoint

Perform the steps below to configure the monitored endpoint.

1. Install the following prerequisites:

• Python 3.12.2 or later (with pip pre-installed). Ensure you check the box Add python.exe to PATH, which places the Python interpreter in the execution path.
• Microsoft Visual C++ 2015 Redistributable

2. Download the zipped YARA file:

> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.5/yara-4.5.5-2368-win64.zip -OutFile yara-v4.5.5-win64.zip

3. Extract the downloaded zipped YARA file:

> Expand-Archive yara-v4.5.5-win64.zip

4. Create a folder C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA binary into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\yara-v4.5.5-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

5. Use the pip utility to install valhallaAPI. This API retrieves the public signature-based YARA ruleset:

> pip install valhallaAPI

6. Create a file download_yara_rules.py, and paste the below script into it:

from valhallaAPI.valhalla import ValhallaAPI
v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
response = v.get_rules_text()
with open('yara_rules.yar', 'w') as fh:
    fh.write(response)

7. Run the download_yara_rules.py script file to download YARA rules: 

> python download_yara_rules.py

8. Create a folder C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules and copy the rules into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
> cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

9. Edit the downloaded YARA rule file C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar and add the following Funklocker ransomware rule:

rule funklocker_ransomware {
   meta:
      description = "Detects Funklocker ransomware or similar variants"
      author = "Oluwaseyi Soneye"
      reference = "Strings output analysis"
      date = "2025-11-10"

   strings:
      // Ransomware commands
      $x1 = "Set-MpPreference -DisableRealtimeMonitoring" nocase
      $x2 = "wevtutil sl Security /e:false" nocase
      $x3 = "wevtutil sl Application /e:false" nocase
      $x4 = "Set-ExecutionPolicy Bypass -Scope Process" nocase
      $x5 = "Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falseSet-ExecutionPolicy" nocase
      $x6 = "vssadmindelete shadows/all/quiet" nocase
      $x7 = "taskkill/F/IM" nocase
      // Ransomware artifacts
      $x8 = "RansomwarePassword123" nocase
      $x9 = "device has been successfully infiltrated by funksec ransomware!" nocase
      $x10 = "funksec" nocase
   condition:
      uint16(0) == 0x5a4d and
        (
                (5 of ($x1, $x2, $x3, $x4, $x5, $x6, $x7)) or
                (2 of ($x8, $x9, $x10))
        )
}

10. Monitor the Downloads folder of all users in real-time by adding the below configuration  within the <syscheck> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file:

<directories realtime="yes">C:\Users\*\Downloads</directories>

11. Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder and copy the below script into it. The Wazuh Active Response module runs this script to perform YARA scans for malware detection and removal:

:: This script deletes Funklocker ransomware executable and other malicious files matched by the YARA Rules
 
@echo off
setlocal enableDelayedExpansion
reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT
if %OS%==32BIT (
    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)
if %OS%==64BIT (
    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)
set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)
set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%
FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO (
SET syscheck_file_path=%%F
)
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
echo %syscheck_file_path% >> %log_file_path%
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
    :: Deleting the scanned file.
	del /f "%syscheck_file_path%" >nul 2>&1
if exist "%syscheck_file_path%" (
    echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path%
) else (
    echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path%
)
 )
exit /b

12. Restart the Wazuh agent to apply the changes:

> Restart-Service -Name wazuh

Wazuh dashboard

Perform the following steps to configure custom decoders, rules, and the Wazuh Active Response module on the Wazuh server.

1. Navigate to Server management > Decoders.
2. Enter the following WQL query filename=local_decoder.xml and press Enter to locate the local_decoder.xml file.

3. Add the following decoders to the local_decoder.xml file to decode the logs generated by the Active Response script:

<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

4. Click Save and Reload to apply the changes.
5. Navigate to Server management > Rules.
6. Enter the following WQL query filename=local_rules.xml and press Enter to locate the local_rules.xml file.

7. Add the custom rules below to the local_rules.xml file: 

<group name="syscheck,">
  <rule id="111111" level="7">
    <if_sid>550</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File modified in the Downloads folder.</description>
  </rule>

  <rule id="111112" level="7">
    <if_sid>554</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File added to the Downloads folder.</description>
  </rule>
</group>

<!--  Rule for the decoder (yara_decoder) -->
<group name="yara,">
  <rule id="111113" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

<!--  YARA scan detects a positive match -->
  <rule id="111114" level="12">
    <if_sid>111113</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a ransomware. Yara rule: $(yara_rule)</description>
  </rule>

<!--  Wazuh successfully deletes malware with a positive match -->
  <rule id="111115" level="12">
    <if_sid>111113</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match>
    <description>Successfully removed "$(yara_scanned_file)" by active response due to YARA rule $(yara_rule) positive match</description>
  </rule>

<!--  Wazuh encounters an error when deleting malware with a positive match -->
  <rule id="111116" level="12">
    <if_sid>111113</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match>
    <description>Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
  </rule>
</group>

Where:

• Rule ID 111111 is triggered when a file is modified in the Downloads folder.
• Rule ID 111112 is triggered when a file is added to the Downloads folder.
• Rule ID 111113 is the base rule for detecting YARA-related events.
• Rule ID 111114 is triggered when YARA scans and detects a malicious file.
• Rule ID 111115 is triggered when the Wazuh Active Response module successfully removes the executable.
• Rule ID 111116 is triggered when the Wazuh Active Response module doesn’t successfully remove the executable.

8. Click Save and Reload when prompted to apply the changes.
9. Navigate to Server management > Settings. Click Edit configuration to edit the /var/ossec/etc/ossec.conf file on the Wazuh manager. 
10. Add the following configuration within the <ossec_config> block of the /var/ossec/etc/ossec.conf file:

<command>
  <name>yara</name>
  <executable>yara.bat</executable>
  <timeout_allowed>no</timeout_allowed>
</command>

<active-response>
  <command>yara</command>
  <location>local</location>
  <rules_id>111111,111112</rules_id>
</active-response>

The Wazuh Active Response module runs the yara.bat script when a file is added or modified in the Downloads folder.

Where:

• <name> specifies that yara is the name of the command being called in the <active-response> block.
• <executable> specifies that yara.bat is the executable file to run.
• <command> specifies the command that the Active Response module will use.
• The <active-response> block calls the <command> block when the rule ID 111111 or 111112 is triggered.
• <location> specifies where the Active Response script is executed.

11. Click Save, then click Restart Manager to apply the changes. Click Confirm when prompted.

Visualizing detection alerts on the Wazuh dashboard

Alerts are generated on the Wazuh dashboard when a Funklocker ransomware executable is added to the Downloads folder of the monitored Windows endpoint and removed by the Wazuh Active Response module. 

Perform the following steps to view the alerts on the Wazuh dashboard:

1. Navigate to Threat intelligence > Threat Hunting. Select the Events tab. 
2. Click + Add filter. Then, filter for rule.id in the Field field.
3. Select is one of in the Operator field.
4. Filter for rule ID 111112, 111114, 111115, and 553, in the Values field.
5. Click Save.

Conclusion

We demonstrate how to detect and respond to Funklocker ransomware activities on a Windows endpoint with Wazuh. We enrich logs from the infected endpoint by integrating Sysmon and creating Wazuh detection rules to identify malicious behavior associated with Funklocker ransomware. Furthermore, we also demonstrate how to use the Wazuh FIM and Active Response capabilities with YARA integration to respond to threats.

Check out our documentation and blog posts to learn more about Wazuh. You can join our community of professionals and users if you have any questions related to Wazuh.

References

• FunkLocker Analysis: AI-powered Ransomware from FunkSec APT
• Decrypted: FunkSec Ransomware
• Ransomware protection on Windows with Wazuh