Hacktivist Groups Transition to Ransomware-as-a-Service Operations

June 11, 2025

In cybersecurity, we tend to classify threat actors along strict boundaries. One such boundary is that between politically motivated hacktivists and financially motivated cybercriminals. In principle, these groups have both completely different objectives and completely different methodologies. Hacktivists desire uncontrolled disruption for the sake of making their point, cybercriminals controlled disruption for the sake of negotiation and financial gain. However, the realities of life make these classifications increasingly blurred, and in some cases, what starts in one form can become another. Such an event has happened to three hacktivist groups that have been prominent in the public eye: FunkSec, KillSec, and GhostSec. By examining these groups, we may be able to derive some lessons about what caused the transition and what it means for the cybercrime sphere as a whole.

All three groups began firmly in the hacktivist end of things. Both FunkSec and GhostSec began associated with the Free Palestine movement, with interest in launching cyberattacks on the United States and Israel respectively in order to spread their message. KillSec’s goals were aligned with Russia from the beginning, and their focus was on attacking various entities in India, Bangladesh, Romania, Poland, and Brazil. Both KillSec and GhostSec were originally affiliated with the Anonymous hacktivist collective. FunkSec was affiliated with other hacktivist groups including Ghost Algeria and Cyb3r Fl00d.

All three groups began to transition into the use of ransomware around 2024. In December 2024, FunkSec began to push its FunkLocker malware, and transitioned from primarily attacking governments to organizations across multiple sectors, public and private. KillSec began employ ransomware in October 2023, then transitioned into selling their ransomware in June of 2024, expanding into ESXi ransomware in November of that year. Notably, GhostSec in particular changed when they partnered with ransomware group Stormous in July 2023, joining with three other operators to create the Five Families collective. This led to the creation of the GhostLocker malware and a new wave of RaaS operations. GhostSec claims to have retired from cybercrime, but the Stormous group is still running GhostLocker in the name of GhostSec.

What caused this transition? There appear to be two major overall factors. One, of course, is the desire for wealth, and the proven effectiveness of the RaaS model. Perhaps the more important reason, however, was the lowered barrier to entry in the ransomware business around 2024, once the builders for popular ransomware programs such as the LockBit 3.0 builder was leaked. These builders allowed even low tech-proficiency individuals, such as those who might run hacktivist groups, to generate their own custom malware programs with relative ease. In such a situation, the desire to run a known and effective RaaS operation must have been extremely tempting. As this process continues, we may expect more hacktivist operations to capitalize on their name recognition to run their own RaaS operations.

More from Blackwired

June 4, 2025

New Browser Exploit Technique Undermines Phishing Detection

New phishing method exploits browser fullscreen mode, especially in Safari, to steal logins without showing the true URL.

Read more
May 28, 2025

Scattered Spider snared financial orgs before targeting shops in Britain, America

Scattered Spider resurfaces, hitting UK/US retailers; next targets may be crypto firms via social engineering attacks.

Read more
May 21, 2025

Pushing passkeys forward: Microsoft’s latest updates for simpler, safer sign-ins

Passwords are flawed; Microsoft backs passkeys—biometrics or codes—for better security and a passwordless future.

Read more

© 2024 Blackwired. All Rights Reserved.