Overview
Gunra is a sophisticated double-extortion ransomware group first identified in April 2025. Emerging from the leaked Conti source code, Gunra is designed for high-speed encryption and data theft, typically demanding ransom via a customized Tor-based negotiation portal. It targets mid-to-large organizations across diverse sectors globally, delivering powerful, precise attacks under tight negotiation deadlines.
Country of Origin
Unattributed; however, its roots in Conti code and global targeting suggest potential Eastern European alignment.
Notable Attacks / Victims
- Compromised organizations across Japan, Egypt, Panama, Italy, Argentina, UAE, affecting industries such as real estate, pharmaceuticals, manufacturing, healthcare, and IT.
- Leaked 40 terabytes of data from a Dubai hospital in May 2025, signaling a massive regional healthcare breach.
- Confirmed 14 victims listed on Gunra’s dedicated leak site; sights include organizations in Brazil, Canada, Türkiye, South Korea, Taiwan, and the U.S.
MITRE ATT&CK Tactics & Techniques
| Tactic | Technique & Description | ID |
|---|---|---|
| Initial Access | Likely phishing, credential theft, or exploitation | T1566.001 |
| Execution | Command/script via WMI and Windows APIs | T1059, T1047 |
| Persistence | Process injection, potential bootkit loading | T1055, T1542 |
| Defense Evasion | Anti-debugging (IsDebuggerPresent), obfuscation, WMI shadow deletion | T1027, T1070.004 |
| Discovery | System/file enumeration (FindNextFileExW) | T1083 |
| Credential Access | Not specified, but likely via standard Windows techniques | T1003 |
| Exfiltration | Double-extortion via Tor-based negotiation portal | T1567.002 |
| Impact | File encryption (.ENCRT extension), shadow copy deletion, ransom note R3ADM3.txt | T1486 |
Malware Characteristics
- Extensions & Ransom Notes: Files encrypted with
.ENCRT; ransom note namedR3ADM3.txtdropped in every directory. - Linux Variant: Revealed mid-2025, supporting up to 100 concurrent encryption threads (twice the speed of competitors) using hybrid RSA + ChaCha20 encryption; notably no ransom note dropped in Linux environments.
- Evasion & Escalation: Gunra uses
IsDebuggerPresentto avoid analysis, WMI for shadow copy deletion, and process injection for execution stealth.
Common Infiltration Methods
- Spear-phishing, phishing with malicious attachments or links.
- Possible RDP/VPN credential compromise or exploitation of vulnerabilities for initial access.
- Use of living-off-the-land tools (e.g., WMI) to delete backups and survive.
- Deployment across Windows and Linux, with tailored encryption strategies.
Summary & Recommendations
Gunra is an advanced and evolving ransomware threat with cross-platform capabilities and massive operational speed. Its attacks are swift, stealthy, and highly damaging—notably in critical sectors.
Recommended defenses:
- Deploy multi-factor authentication and secure remote access.
- Monitor for
.ENCRTfiles andR3ADM3.txtransom notes. - Detect shadow-copy deletion, WMI usage, and abnormal process activity.
- Block traffic to known Tor-based leak sites or negotiation pages.
- Maintain isolated, offline backups and endpoint detection with behavioral heuristics.
