CloudSEK researchers infiltrated a newly launched Gunra affiliate program in January 2026, obtaining RaaS management panel credentials and a live ransomware sample for detailed technical analysis. The Gunra locker is an offline-capable, multi-threaded encryptor that uses per-file ChaCha20 keys protected with RSA-4096, selective system exclusions, .ENCRT renaming, and a Tor-based payment portal. #Gunra #CloudSEK
Keypoints
- CloudSEK successfully executed a HUMINT operation to join Gunra’s affiliate program and retrieve management panel credentials and a live sample.
- Gunra is offered as a professional RaaS with a user-friendly affiliate panel, documentation, and a configurable locker/builder supporting multiple platforms.
- The ransomware performs recursive A–Z drive enumeration, selectively excluding system directories and specific file extensions to maintain OS functionality.
- Encryption employs a hybrid ChaCha20 (per-file 32-byte key + 12-byte nonce) for speed and RSA-4096 to protect key material, with keys appended to files or stored in SHA-256 named .keystore files.
- Multi-threaded producer-consumer architecture (default two worker threads) enables rapid, parallel encryption and renaming of files to the .ENCRT extension, followed by R3ADM3.txt ransom notes.
- The binary operates fully offline during encryption and directs victims to a hardcoded Tor onion payment portal included in the ransom note.
MITRE Techniques
- [T1204 ] User Execution – The victim runs a ransomware binary. (‘The victim runs a ransomware binary’)
- [T1083 ] File & Directory Discovery – Scans drives A–Z recursively to enumerate files and directories. (‘Scans drives A–Z recursively’)
- [T1564 ] Exclude System Files – Skips Windows and system directories to avoid crashing the OS. (‘Skips Windows & system directories’)
- [T1005 ] Data from Local System – Targets and collects user documents and other local files for encryption. (‘Targets user documents & files’)
- [T1486 ] Data Encrypted for Impact – Encrypts files using ChaCha20 to deny access to data. (‘Encrypts files using ChaCha20’)
- [T1486 ] Data Encrypted for Impact – Protects per-file ChaCha20 keys with RSA-4096, preventing decryption without attacker keys. (‘RSA encrypts encryption keys’)
- [T1036.003 ] File Rename – Appends the .ENCRT extension to encrypted files to mark them as processed. (‘Appends .ENCRT to files’)
- [T1491 ] Defacement / Message – Drops a ransom note R3ADM3.txt in affected directories to instruct victims. (‘Drops R3ADM3.txt’)
- [T1104 ] Dead Drop Resolver (Tor) – Directs victims to a Tor hidden service for payment and communication. (‘Victim connects via Tor portal’)
- [T1657 ] Financial Extortion – Issues a ransom demand via the Tor payment portal and associated instructions. (‘Ransom demand issued’)
Indicators of Compromise
- [File Hash ] Locker and operator guide hashes – Locker SHA-256: 75e5621756e9d19efeac2bcbb2ac4711fb85243c03b0a19c05b18e31a780691e; Operator PDF SHA-256: 25c8cb27947042de89d634b3e260e614e5b1425a89494fa4e4295bcabfa8ee48
- [File Hash ] MD5 example – Locker MD5: e57b130718373f6ba9b37f39ca1d7e3d
- [Filename ] Ransom note – R3ADM3.txt (dropped in every directory containing encrypted files)
- [File Extension ] Encrypted files – .ENCRT (renamed extension applied to encrypted files)
- [Keystore Pattern ] Key storage filenames – {sha256_hash}.keystore (used when keys are stored separately)
- [Onion URL ] Tor payment portal – hxxp://nsnhzysbntsqdwpys6mhml33muccsvterxewh5rkbmcab7bg2ttevjqd[.]onion (hardcoded in ransom note)
- [Protected Paths ] Excluded directories – C:Windows, C:Program Files, C:Program Files (x86) (directories skipped by the locker)
- [Skipped File Types ] System-critical extensions – Exe, Dll, Sys, Com, Pif, Bat, Msi, Scr, Drv, Cxd, Mui, Cpl, Fon, ini (extensions excluded from encryption)
- [String Constant ] Crypto signature – “expand 32-byte k” (ChaCha20 magic constant found in binary)
- [API Behavior ] Cryptographic API – BCryptGenRandom (used to generate per-file ChaCha20 keys and nonces)