Gunra ransomware is a dangerous new threat, first seen in April 2025. A single ransomware code leak three years ago has since created more than a dozen threats. Gunra has proven to be one of the most dangerous.
The attackers’ goal is simple: make recovery so difficult that you have no choice but to pay. To amplify the pressure, they give you a strict five-day deadline.
Gunra ransomware targets high-stakes industries, where operations are time-sensitive. A shutdown in pharmaceuticals delays life-saving treatments. In insurance or real estate, it halts the flow of billions of dollars and compromises sensitive client data.
Gunra is also expanding its reach. A new Linux variant allows it to attack a wider range of networks, making it a more versatile and serious threat.
You cannot afford to ignore Gunra. This advisory breaks down its attack methods, its targets, and techniques for detecting ransomware on your network before the clock runs out.
What Is Gunra Ransomware?
Gunra ransomware was built using the leaked source code of the notorious Conti group, which allowed skilled attackers to create their own powerful ransomware variants.
What makes Gunra different is its focus on speed and intense psychological pressure. This is a two-part attack:
- Encryption: Gunra locks down your critical files.
- Data Theft: It steals copies of your sensitive data.
This double-extortion model, as we discussed in our recent Sarcoma Advisory, is becoming the standard for modern ransomware. It forces you to negotiate, because even if you have backups, the attackers still have your stolen information.
To manage this process, the Gunra group operates a professional data leak site on the dark web. If a victim doesn’t pay within the strict five-day deadline, their data is published. Ransom demands often reach millions of dollars, paid in cryptocurrency, with negotiations designed to be fast and final.
Who Is Gunra Ransomware Targeting?
Gunra ransomware’s attacks are not random; they are strategic. The group focuses on organizations where cybersecurity defenses may be less mature. They attack critical sectors where a data breach will cause maximum economic damage and erode public trust.
This is a global campaign to disrupt financial stability and national security. In August 2025, attackers targeted Colombia’s military criminal justice system. They stole 45TB of sensitive state documents. Similar attacks crippled major insurance companies, Seguros América, in Nicaragua, and Seoul Guarantee Insurance, in South Korea.
In North America, the group targets Managed Service Providers (MSPs) and State, Local, and Education (SLED) public sector organizations. By targeting MSPs, Gunra ransomware may gain access to many organizations. This creates a cascade effect that can lead to the breach of dozens of partners. This complicates endpoint detection of ransomware as attacks can come via a trusted source.
How Does Gunra Ransomware Operate?
A Gunra attack is a fast and methodical process designed to disable defenses and force a quick payment. It happens in three main stages.
Stage 1: The Initial Breach
Gunra gets in through common weak points. It starts with a phishing email, an unpatched VPN, or through a compromised supply chain.
Once inside, it doesn’t attack immediately. It quietly scans the network to map out your most valuable data. The malware uses Living-of-the-Land techniques like Windows API functions, FindNextFileExW and FindNextFileW. This discovery phase targets extensions such as .docx, .pdf, .xls, .jpg, and databases while skipping system-critical files to avoid immediate detection.
Stage 2: Evasion & Disabling Your Safety Nets
Throughout the attack, Gunra hides from security tools. It can detect when it’s being analyzed and disguises its communications as normal network traffic.
It checks for debuggers using IsDebuggerPresent, halting if tools like x64dbg, WinDbg, or OllyDbg are detected. Command-and-control (C2) uses application-layer protocols, often mimicking legitimate traffic.
These techniques allow Gunra ransomware to stay undetected, exfiltrating data over encrypted channels (e.g., Tor proxies) before encryption begins. This level of evasion is why effective ransomware detection techniques must analyze network behavior, not just file signatures.
Before locking any files, Gunra ransomware’s first move is to eliminate your recovery options. It specifically hunts for and deletes system backups and Volume Shadow Copies (VSS). This ensures that once the encryption starts, you cannot easily restore your files on your own.
To do this it uses Windows Management Instrumentation (WMI) via commands like:
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where “ID={GUID of the shadowcopy}” delete
With your backups gone, the main attack begins.
Stage 3: Data Encryption and Theft
Before encrypting your data, Gunra makes sure no files are in use. It shuts down your running applications (like databases or Word) to unlock those files. To do this, it hijacks legitimate system functions and gives itself administrator-level power, taking full control of the computer.
On the C: drive, only the Users folder is targeted, focusing on high-value personal and business data.
Gunra ransomware uses a hybrid encryption strategy for both speed and strength. First, it locks your files using an efficient key (ChaCha20). Then, it locks that first key with a separate, military-grade key (RSA).
This two-layer approach makes brute-force decryption (trying to guess the password) impossible. The encrypted files receive the .ENCRT extension.
At the same time, the attackers steal copies of your sensitive data. This is the coup de grace for the double-extortion setup.
A ransom note, R3ADM3.txt, is left in every folder, making the threat clear: pay within five days, or your files will be lost and your stolen data will be published online.
Gunra Ransomware’s Expansion Into Linux
Gunra ransomware has evolved. Its new Linux version allows it to attack the core of modern networks: servers, cloud infrastructure, and the Internet of Things (IoT), such as smart speakers, printers, or security cameras.
This version is built for speed, using techniques like partial encryption on large files and multi-threading to finish its attack as quickly as possible. This makes it a serious threat to the core of any modern network.
The Linux version is not designed as one big program. Its malicious tools are broken into separate pieces that are only called upon when needed. This makes it very difficult for security software to examine the code and identify it as a threat beforehand.
This cross-platform capability makes it a comprehensive threat. Gunra demands ransomware detection techniques that can monitor servers and cloud environments, not just Windows endpoints.
Gunra Ransomware: Key Tactics, Techniques, and Procedures (TTPs)
Tactic (MITRE ATT&CK Phase) | Technique ID | Technique Name / Description |
Execution | T1047 | Windows Management Instrumentation for VSS deletion |
T1129 | Shared Modules for dynamic loading | |
Persistence | T1176 | Software Extensions |
T1542 | Pre-OS Boot, including Bootkit | |
T1574 | Hijack Execution Flow, e.g., DLL Side-Loading | |
Privilege Escalation | T1055 | Process Injection via TerminateProcess |
T1548 | Abuse Elevation Control Mechanism | |
T1574.002 | DLL Side-Loading | |
Defense Evasion | T1014 | Rootkit-like hiding |
T1027 | Obfuscated Files or Information, Software Packing | |
T1036 | Masquerading | |
T1143 | Hidden Window | |
T1542.003 | Bootkit | |
T1548 | Abuse Elevation | |
T1564 | Hide Artifacts, Hidden Files/Directories | |
T1574 | Hijack Flow | |
Credential Access | T1003 | OS Credential Dumping |
T1081 | Credentials in Files | |
T1539 | Steal Web Session Cookie | |
T1552 | Unsecured Credentials | |
T1555 | Credentials from Password Stores, Web Browsers | |
Discovery | T1057 | Process Discovery |
T1063 | Security Software Discovery | |
T1082 | System Information Discovery | |
T1083 | File and Directory Discovery | |
T1518 | Software Discovery | |
Collection | T1005 | Data from Local System |
T1119 | Automated Collection | |
T1185 | Browser Session Hijacking | |
Command & Control | T1071 | Application Layer Protocol |
T1090 | Proxy for exfiltration | |
Impact | T1486 | Data Encrypted for Impact |
T1490 | Inhibit System Recovery via VSS deletion | |
T1496 | Resource Hijacking |
Gunra Ransomware: Indicators of Compromise (IoCs)
While no specific IPs or domains were publicly linked in recent analyses, monitoring for Tor .onion traffic or unusual exfiltration to proxies is advised.
Platforms like Maltiverse aggregate such IoCs, allowing organizations to cross-reference against global threat data for better preparedness.
For example, these file hashes (SHA256) are related to Gunra malware attacks:
- 6d25d5c988a8cda3837dff5f294cbc25c97aea48dde1a74cba71a2439cab0a11
- a82e496b7b5279cb6b93393ec167dd3f50aff1557366784b25f9e51cb23689d9
- 854e5f77f788bbbe6e224195e115c749172cd12302afca370d4f9e3d53d005fd
3 Questions To Guide Your Defense Against Gunra
Understanding the threat is the first step. Building a resilient defense is what comes next. A modern security strategy doesn’t start with a checklist of tools; it starts with asking the right questions.
Can You Stop a Gunra Ransomware Attack Before It Happens?
Prevention tools like firewalls, Endpoint Detection and Response (EDR), and antivirus, are not foolproof, so a proactive defense is critical. This begins with understanding your external attack surface with tools, like Lumu Discover. This shows where attackers can find vulnerabilities in your organization to stop them before they get through the door. Then, to see which threats are a danger you need up-to-date intelligence from platforms, like Lumu Maltiverse.
Can You See the Signs of a Gunra Ransomware Attack?
Most security tools focus on employee laptops. But Gunra ransomware’s Linux variant ignores laptops and targets your most critical assets: servers, cloud infrastructure, and IoT devices. An endpoint-only defense is blind to this threat. An effective defense must monitor the one thing all devices share: the network.
A Network Detection and Response (NDR) tool, like Lumu Defender, monitors your network for unusual activity and malicious contact, alerting you in real time so you can isolate the threat instantly.
Can You Detect and Stop Data Theft in Action?
While backups can restore files, they can’t prevent a public data leak. Exfiltration needs large data transfers to strange locations or the use of anonymizers, (a key Gunra tactic). This is a prime opportunity for detecting ransomware on the network. An effective NDR alerts you the moment data theft begins, giving you the time needed to contain the threat before files are encrypted.
Plus, the Zero Trust approach can be highly effective in limiting the impact of Gunra ransomware. Defender can be used to enhance a Zero Trust strategy. These tactics are the difference between a manageable incident and a catastrophe.
Act Against Gunra Ransomware Before the Clock Starts
Threats like Gunra ransomware are fast, cross-platform, and designed to slip through the gaps between individual security tools. A modern defense must operate as one cohesive, automated system to be effective.
The Lumu SecOps Platform provides the unified visibility to make this happen. It integrates your existing security stack, creating an automated defense that responds in seconds, not days.
The attackers give you a five-day deadline. The right defense stops the attack before the clock even starts.