Main Menu
,

Gunra Ransomware: Tactics, Victims, and Threat Intelligence

Gunra is a double-extortion ransomware group, active since April 2025, leveraging leaked Conti code for high-speed, cross-platform attacks. With victims spanning healthcare, manufacturing, and IT, its operations emphasize rapid encryption, data theft, and Tor-based ransom negotiations, posing severe risks to global enterprises.
Facebook Twitter Youtube Linkedin
Gunra Ransomware: Tactics, Victims, and Threat Intelligence
Table of Contents
    Add a header to begin generating the table of contents

    Overview

    Gunra is a sophisticated double-extortion ransomware group first identified in April 2025. Emerging from the leaked Conti source code, Gunra is designed for high-speed encryption and data theft, typically demanding ransom via a customized Tor-based negotiation portal. It targets mid-to-large organizations across diverse sectors globally, delivering powerful, precise attacks under tight negotiation deadlines.

    Country of Origin

    Unattributed; however, its roots in Conti code and global targeting suggest potential Eastern European alignment.

    Notable Attacks / Victims

    • Compromised organizations across Japan, Egypt, Panama, Italy, Argentina, UAE, affecting industries such as real estate, pharmaceuticals, manufacturing, healthcare, and IT.
    • Leaked 40 terabytes of data from a Dubai hospital in May 2025, signaling a massive regional healthcare breach.
    • Confirmed 14 victims listed on Gunra’s dedicated leak site; sights include organizations in Brazil, Canada, Türkiye, South Korea, Taiwan, and the U.S.

    MITRE ATT&CK Tactics & Techniques

    TacticTechnique & DescriptionID
    Initial AccessLikely phishing, credential theft, or exploitationT1566.001
    ExecutionCommand/script via WMI and Windows APIsT1059, T1047
    PersistenceProcess injection, potential bootkit loadingT1055, T1542
    Defense EvasionAnti-debugging (IsDebuggerPresent), obfuscation, WMI shadow deletionT1027, T1070.004
    DiscoverySystem/file enumeration (FindNextFileExW)T1083
    Credential AccessNot specified, but likely via standard Windows techniquesT1003
    ExfiltrationDouble-extortion via Tor-based negotiation portalT1567.002
    ImpactFile encryption (.ENCRT extension), shadow copy deletion, ransom note R3ADM3.txtT1486

    Malware Characteristics

    • Extensions & Ransom Notes: Files encrypted with .ENCRT; ransom note named R3ADM3.txt dropped in every directory.
    • Linux Variant: Revealed mid-2025, supporting up to 100 concurrent encryption threads (twice the speed of competitors) using hybrid RSA + ChaCha20 encryption; notably no ransom note dropped in Linux environments.
    • Evasion & Escalation: Gunra uses IsDebuggerPresent to avoid analysis, WMI for shadow copy deletion, and process injection for execution stealth.

    Common Infiltration Methods

    • Spear-phishing, phishing with malicious attachments or links.
    • Possible RDP/VPN credential compromise or exploitation of vulnerabilities for initial access.
    • Use of living-off-the-land tools (e.g., WMI) to delete backups and survive.
    • Deployment across Windows and Linux, with tailored encryption strategies.

    Summary & Recommendations

    Gunra is an advanced and evolving ransomware threat with cross-platform capabilities and massive operational speed. Its attacks are swift, stealthy, and highly damaging—notably in critical sectors.

    Recommended defenses:

    • Deploy multi-factor authentication and secure remote access.
    • Monitor for .ENCRT files and R3ADM3.txt ransom notes.
    • Detect shadow-copy deletion, WMI usage, and abnormal process activity.
    • Block traffic to known Tor-based leak sites or negotiation pages.
    • Maintain isolated, offline backups and endpoint detection with behavioral heuristics.

    Trending
    Arizona Seeks $10M to Bolster Election Cybersecurity: Post-Attack Response Plan
    Microsoft Patches Teams Vulnerability: Critical Fix Against Remote Code Risks
    Apple Patches Zero-Day Exploit: Immediate Fix for CVE-2025-43300 Threat
    APT36 Hackers Abuse Linux to Deliver Malware in Espionage Attacks
    Silk Typhoon’s Fake Adobe Update: How China-Backed Hackers Target Diplomats
    FTC Warns Tech Giants: Don’t Weaken Encryption for Foreign Governments
    Invisible Prompts: How Image Scaling Attacks Break AI Security
    Google to Verify Android Developers: A New Era in App Security Emerges
    Healthcare Services Group Breach Exposes 624,000 Individuals’ Sensitive Data
    Okta Raises Annual Forecasts Amid Surging Demand for Cybersecurity Tools

    Daily Briefing Newsletter

    Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

    Related Posts
    Cyprus Airways Data Breach: Hackers Claim Access to Real-Time Systems and Passenger Records

    Cyprus Airways Data Breach: Hackers Claim Access to Real-Time Systems and Passenger Records

    Nissan Confirms Data Breach at Creative Box After Qilin Ransomware Attack

    Nissan Confirms Data Breach at Creative Box After Qilin Ransomware Attack

    Australia Faces Rising Wave of AI-Driven Cyber Threats in 2025

    Australia Faces Rising Wave of AI-Driven Cyber Threats in 2025

    CISA Expands Known Exploited Vulnerabilities Catalog 47 New Threats Identified

    CISA Expands Known Exploited Vulnerabilities Catalog: 47 New Threats Identified

    Arizona Seeks 10M to Bolster Election Cybersecurity

    Arizona Seeks $10M to Bolster Election Cybersecurity: Post-Attack Response Plan

    Microsoft Patches Teams Vulnerability Critical Fix Against Remote Code Risks

    Microsoft Patches Teams Vulnerability: Critical Fix Against Remote Code Risks

    Apple Patches Zero-Day Exploit Immediate Fix for CVE-2025-43300 Threat

    Apple Patches Zero-Day Exploit: Immediate Fix for CVE-2025-43300 Threat