Gunra is a financially motivated ransomware group that first appeared in April 2025. It targets various industries worldwide by deploying ransomware that encrypts files and exfiltrates sensitive data to pressure victims into paying a ransom. The group is known for its use of double-extortion tactics and has developed variants for both Windows and Linux operating systems.
Operational Tactics
Gunra employs sophisticated techniques to infect systems, evade detection, and coerce victims into paying ransoms. The group’s methods are largely derived from the leaked source code of the notorious Conti ransomware.
Windows Variant:
- Encryption and Ransom Note Upon successful infection of a Windows system, Gunra encrypts files and appends the
.ENCRTextension to them. It then drops a ransom note namedR3ADM3.txtin every affected directory. This note contains instructions for payment and a warning that the stolen data will be published on underground forums if the ransom is not paid. - Evasion and Anti-Analysis The ransomware is designed to avoid detection. It uses the
IsDebuggerPresentAPI to check if it is being analyzed in a debugging environment like WinDbg or x64dbg. It also deletes volume shadow copies using Windows Management Instrumentation (WMI) to prevent easy system recovery. - Double Extortion Gunra not only encrypts data but also steals it. Victims are typically given a five-day deadline to initiate negotiations through a Tor-based portal designed to resemble a messaging app. This combination of data encryption and the threat of a data leak is known as double extortion.
Linux Variant:
- Cross-Platform Expansion In a strategic move to broaden its attack surface, the Gunra group developed a Linux variant. This version is notable for its efficiency and customizability.
- Advanced Features The Linux variant can run up to 100 encryption threads in parallel, significantly speeding up the encryption process. Unlike other ransomware, the number of threads is configurable by the attacker. It also supports partial encryption, allowing attackers to control how much of each file is encrypted.
- Execution This variant requires specific command-line arguments to run and displays its activity logs on the console during execution[3]. It uses a combination of RSA and ChaCha20 encryption algorithms. Interestingly, the Linux version does not drop a ransom note after encrypting files.
Targets and Impact
Since its emergence, Gunra has targeted organizations across various sectors, including manufacturing, healthcare, IT, agriculture, real estate, and pharmaceuticals. Victims have been reported in countries such as the United States, Japan, Canada, Brazil, Egypt, Italy, South Korea, and Taiwan. By July 2025, the group had claimed 14 victims on its leak site and allegedly leaked 40 terabytes of data from a hospital in Dubai.
Mitigation
To defend against Gunra and similar ransomware threats, security experts recommend the following measures:
- Perform regular and robust data backups.
- Implement strong phishing defenses and monitor for suspicious internal network movement.
- Restrict administrative privileges and use network segmentation to limit the potential impact of an attack.
- Monitor WMI activity and enforce file integrity checks.
