Gunra ransomware poses significant threats globally, utilizing double-extortion tactics targeting various industries. It employs advanced evasion techniques and threatens to leak stolen data, affecting companies in diverse sectors like real estate and pharmaceuticals. (Affected: real estate, pharmaceuticals, manufacturing, cyber-security)
Keypoints :
- Gunra ransomware targets Windows systems using double-extortion tactics.
- It threatens to leak stolen data on Tor-hosted forums.
- Common industries affected include real estate, pharmaceuticals, and manufacturing.
- The malware deletes shadow copies to prevent recovery.
- Victims receive a ransom note directing communication via a Tor-based portal.
- Gunra exhibits behaviors such as process enumeration and system information retrieval.
- Recommendations include enhancing EDR, backup planning, and ransomware detection strategies.
MITRE Techniques :
- Execution (TA0002) – T1047: Uses Windows Management Instrumentation.
- Execution (TA0002) – T1129: Employs Shared Modules.
- Persistence (TA0003) – T1176: Uses Software Extensions.
- Persistence (TA0003) – T1542: Uses Pre-OS Boot techniques.
- Privilege Escalation (TA0004) – T1055: Implements Process Injection.
- Defense Evasion (TA0005) – T1014: Engages in Rootkit techniques.
- Discovery (TA0007) – T1057: Performs Process Discovery.
- Collection (TA0009) – T1005: Gathers Data from Local System.
- Command-and-control (TA0011) – T1071: Utilizes Application Layer Protocols.
- Impact (TA0040) – T1486: Encrypts Data for Impact.
Indicator of Compromise :
- The article mentions specific file hashes (MD5, SHA-256) that can be used to identify Gunra ransomware.
- There are indications of modified file extensions (.ENCRT) after encryption.
- References to a ransom note (R3ADM3.txt) act as an indicator signaling the completion of the ransomware attack.
- IPs associated with Tor-based communication are implied for command-and-control activities.
Full Story: https://www.cyfirma.com/research/gunra-ransomware-a-brief-analysis/
Views: 70