A recently identified ransomware variant, dubbed Gunra, has surfaced as a major threat in the ransomware landscape, targeting Windows systems.
Discovered in April 2025, Gunra has quickly drawn attention due to its technical lineage and aggressive operational techniques, echoing those of the notorious Conti ransomware group.
AhnLab’s Threat Intelligence Platform (TIP), which tracks ransomware activity across dark web forums and marketplaces, has spotlighted Gunra’s rise among a new surge of Dedicated Leak Sites (DLS) between February and June 2025, highlighting an alarming uptick in ransomware-as-a-service activity.
Gunra’s technical footprint indicates a strong evolutionary link to Conti. Conti, historically based in Russia and infamous for its large-scale operations since 2020, saw its internal documents and source code leaked in early 2022 by a Ukrainian affiliate after the group publicly supported the Russian government.
That leak spawned several high-profile ransomware strains including Black Basta and Royal and Gunra now joins their ranks, distinguished by technical enhancements and a more intense pressure campaign on its victims.
Multi-Threaded Encryption
Upon execution, Gunra ransomware creates multiple threads equal to the number of logical cores in the infected machine to maximize encryption speed and efficiency. Each thread utilizes a hardcoded RSA public key embedded in the binary.
This key is used to generate session-specific RSA keys, which subsequently derive ChaCha20 symmetric encryption keys.
The ChaCha20 keys then drive the encryption routine, rapidly scrambling targeted files across user directories.
Gunra targets a wide array of user data but strategically avoids critical system directories and files vital for operating system stability.
It excludes folders such as Windows, Boot, System Volume Information, and Trend Micro from infection, as well as file extensions like .exe, .dll, .lnk, and even its own encrypted extension, .ENCRT.
The ransomware also excludes certain files, including its ransom note (“R3ADM3.txt”) and a log file reminiscent of Conti (“CONTI_LOG.txt”), from encryption.
After finishing the file encryption process, Gunra initiates a destructive command sequence using cmd.exe to systematically delete Windows Volume Shadow Copies.
This step, leveraging WMIC, is intended to thwart local restoration efforts by erasing system backups:
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where “ID={GUID of the shadowcopy}” delete
Victims are then confronted with a ransom note (R3ADM3.txt), which instructs them to visit a designated threat actor-controlled website for payment instructions and data recovery steps.
Of note is Gunra’s psychological pressure tactic: victims are warned they must initiate negotiations within five days, adding urgency and stress to the extortion process.
Targeting Patterns
AhnLab’s analysis notes that if a target drive is the system volume (C:$$, the ransomware confines its operations to the C:\Users folder, narrowing the impact to user data rather than the entire disk.
This approach helps maintain system operability post-encryption, facilitating communication for ransom payment.
Given Gunra’s rapidly evolving threat profile and the broader trend of proliferating DLS ransomware, organizations are advised to maintain regular, offline, or geographically segmented backups; restrict access to backup storage; and routinely rehearse recovery operations.
Security updates, endpoint protection, and vigilant email and network hygiene remain vital. Special emphasis is placed on storing critical data and backups entirely offsite and segregated from operational networks to maximize defenses against ransomware incursions.
As ransomware tactics and operations continue to advance, the emergence of Gunra signals an urgent need for organizations to redouble their incident preparedness, focusing not only on backup creation but also on resilient, tested recovery strategies.
Indicators of Compromise (IOC)
| MD5 Hash | Description |
|---|---|
| 0339269cef32f7af77ce9700ce7bf2e2 | Gunra sample |
| 3178501218c7edaef82b73ae83cb4d91 | Gunra sample |
| 7dd26568049fac1b87f676ecfaac9ba0 | Gunra sample |
| 92e11df03725e29d963d44508d41a8dd | Gunra sample |
| 9a7c0adedc4c68760e49274700218507 | Gunra sample |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique")
