Threat Research

Gunra Ransomware Emerges with New DLS

Ahnlab
Gunra Ransomware Emerges with New DLS

AhnLab TIP monitors ransomware group activities on the dark web, highlighting Gunra ransomware’s use of leaked Conti code with enhanced social engineering tactics and time-based pressure. Gunra ransomware encrypts files with ChaCha20 using RSA key generation and deletes volume shadow copies to prevent recovery. #Gunra #Conti #AhnLabTIP

Keypoints

  • AhnLab TIP tracks active ransomware groups and their new Dedicated Leak Sites (DLS) via Dark Web Watch, enabling proactive threat anticipation.
  • Gunra ransomware was first identified in April 2025 and shares significant code similarities with Conti ransomware, using its leaked source code as a base.
  • Gunra introduces a unique time-based negotiation tactic, pressuring victims to initiate ransom talks within five days to increase psychological stress.
  • Gunra ransomware encrypts files using ChaCha20 encryption, with RSA key generation dependent on the victim’s CPU logical cores.
  • After encryption, Gunra deletes volume shadow copies using WMIC to hinder recovery efforts and drops a ransom note named “R3ADM3.txt.”
  • The ransomware excludes certain folders, files, and extensions from encryption, notably system folders and specific file types including its own ransom note and Conti logs.
  • Strong security recommendations include applying updates, maintaining security software, regular offline backups, cautious email/link handling, and enabling two-factor authentication.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – Gunra ransomware encrypts files using ChaCha20 encryption after generating cryptographic keys to prevent victim access (‘…file encryption routine…’).
  • [T1490] Inhibit System Recovery – The ransomware deletes volume shadow copies via cmd commands to prevent restoration (‘cmd.exe /c C:WindowsSystem32wbemWMIC.exe shadowcopy where “ID={GUID of the shadowcopy}” delete’).
  • [T1566] Phishing – Gunra employs refined social engineering tactics, including time-based pressure to force quick victim negotiation (‘…time-based pressure technique, which forces victims to begin negotiations within five days…’).

Indicators of Compromise

  • [File Hash] Gunra ransomware sample hashes – 0339269cef32f7af77ce9700ce7bf2e2, 3178501218c7edaef82b73ae83cb4d91, and other 4 hashes.
  • [File Name] Ransom note file – R3ADM3.txt dropped in encrypted folders instructing ransom payment.
  • [File Extension] Encrypted files have the extension – .ENCRT used by Gunra ransomware.
  • [Command] Volume shadow copy deletion command – cmd.exe /c C:WindowsSystem32wbemWMIC.exe shadowcopy where “ID={GUID}” delete.

Read more: https://asec.ahnlab.com/en/89206/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint