Threat Research

Gunra Ransomware Targets Global Sectors

Securonix
Gunra Ransomware Targets Global Sectors

Gunra is a double-extortion ransomware group active since April 2025 that primarily targets non‑US organizations across multiple industries, using phishing, DoNoT loader routines, and high‑speed stream ciphers (Salsa20/ChaCha20) to encrypt large data volumes and publish exfiltrated data on a dark‑web DLS. The group operates a WhatsApp‑themed negotiation portal (Slack backend), hosts a clearnet mirror (datapub.news), and uses tools like Lumma Stealer and ConnectWise‑like payloads while listing victims on multiple TOR domains. #Gunra #DoNoT #datapub.news

Keypoints

  • Gunra emerged April 2025 as a double‑extortion ransomware group targeting mainly non‑US victims (18 reported between April–September 2025) across manufacturing, healthcare, technology, services, and finance sectors.
  • Main initial access vector is phishing (Microsoft‑themed email observed); operators share tools via Bash Upload and used Lumma Stealer in operations.
  • Ransomware encrypts large datasets quickly (example: 9 TB in 2 days) using stream ciphers Salsa20 or ChaCha20; encrypted files use the .ENCRT extension.
  • Operators use an evolving Data Leak Site (TOR v3 domains) and a WhatsApp‑themed negotiation portal backed by Slack; they briefly hosted a clear‑web site (datapub.news) on 86.54.28.216.
  • Samples (Windows EXE and ELF64 Linux) show code overlap with Conti/Akira early but newer binaries appear original; DoNoT loader routines and indicators like R3ADM3.txt ransom note present.
  • Observed TTPs include shadow copy deletion, process injection, obfuscation/packing, credential theft, lateral movement, and high‑impact encryption; YARA rule provided to detect embedded DoNoT loader stub.
  • IOCs collected include multiple TOR domains, several MD5 hashes, bashupload URLs, an email handle, an IP (86.54.28.216), and a TOX ID; leaks and negotiation portals changed frequently across updates.

MITRE Techniques

  • [T1003 ] OS Credential Dumping – Used to harvest credentials for lateral movement and access (“Initial Access: Spear Phishing Document” and traces of credential theft in samples).
  • [T1005 ] Data from Local System – Exfiltrated sensitive business data prior to encryption (“We have dumped your sensitive business data and then encrypted your side entire data.”).
  • [T1014 ] Rootkit – Rootkit techniques referenced in the MITRE list for persistence/stealth within samples and analyses.
  • [T1055 ] Process Injection – Loader and payload behaviors indicate injection (“Behavioral Flow … Inject or execute the final stage”).
  • [T1090 ] Proxy – Use of TOR and TOX for command and control and negotiation proxying (multiple .onion domains and TOX ID listed).
  • [T1027 ] Obfuscated Files or Information – Samples use XOR/Base64/murmur2 and packing (“Data Encoding: XOR, Base64” and “T1027.002: Software Packing”).
  • [T1036 ] Masquerading – Phishing and masqueraded Microsoft email used to lure victims (“Title used: Microsoft account security info verification”).
  • [T1047 ] Windows Management Instrumentation – WMI used for shadow copy queries prior to deletion (“wmic.exe executes WMI query: SELECT * FROM Win32_ShadowCopy WHERE ID=…”).
  • [T1057 ] Process Discovery – Process enumeration used in discovery phases (listed in MITRE techniques observed).
  • [T1071 ] Applications Layer Protocol – Abuse of web protocols and Slack backend for negotiation and C2 messaging (“Negotiation Portal … backend connected to another TOR Domain” and “using Slack in the back-end”).
  • [T1081 ] Credentials in Files – Credentials found or claimed in files/cloud (claims of Office 365 access and credentials in files noted).
  • [T1082 ] System Information Discovery – System info gathered to profile victims (listed in MITRE techniques observed).
  • [T1083 ] File and Directory Discovery – Automated collection and file discovery used to identify targets for encryption (“File and Directory Discovery” and “Automated Collection”).
  • [T1119 ] Automated Collection – Automated collection of data for exfiltration prior to listing on DLS (“We have dumped your sensitive business data”).
  • [T1176 ] Software Extensions – Use of legitimate remote admin tools (ConnectWise/ScreenConnect) and potential misuse indicated in leak analysis.
  • [T1486 ] Data Encrypted for Impact – Primary impact technique: encrypting files with Salsa20/ChaCha20 and appending .ENCRT (“Data Encryption: Salsa20, ChaCha”).
  • [T1490 ] Inhibit System Recovery – Shadow copy deletion observed and WMI queries used to remove recovery (“Instructs to erase about (60+) Volume Shadow Copies”).
  • [T1552 ] Unsecured Credentials – Credentials found in files and browser stores referenced in analysis (“Credentials in Files” and browser credential theft techniques listed).
  • [T1574 ] Hijack Execution Flow – DLL side‑loading and execution flow hijacking referenced among observed techniques (“T1574.002: DLL Side-Loading”).
  • [T1564 ] Hide Artifacts – Use of hidden files/directories and stripping binaries to hide artifacts (“Stripped for evasion” and “Hidden Files and Directories”).

Indicators of Compromise

  • [TOR Domain ] Data leak and negotiation portals – gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion, apdk7hpbbquomgoxbhutegxco6btrz2ara3x2weqnx65tt45ba3sclyd.onion
  • [MD5 ] Ransomware / payload samples – 7dd26568049fac1b87f676ecfaac9ba0 (example), 9a7c0adedc4c68760e49274700218507, and 6 more hashes
  • [URL ] Tool and leak hosting – https://bashupload.com/0OoOe/tool.7z, https://bashupload.com/FOIGR/email.7z, https://datapub.news (clear‑web DLS instance)
  • [Email ] Threat actor contact / registration – [email protected] (registration/contact on datapub.news), [email protected] (observed)
  • [IP ] Hosting infrastructure – 86.54.28.216 (datapub.news hosting on BlackHost / Ubuntu nginx)
  • [TOX ID ] Messaging/C2 identifier – 2507312EC10BB44ED9DAA04E3C5C27E8C13154649B1A02E73ACFAE1681EE0208D05133A8FB22 (TOX ID used in updates)

Read more: https://theravenfile.com/2025/09/23/gunra-ransomware-what-you-dont-know/