Gunra Ransomware: Conti-Derived Double-Extortion Threat Targeting Global Critical Sectors

Gunra ransomware is a newly emerged, highly sophisticated double-extortion threat, first detected in April 2025 and attributed to a financially motivated group leveraging the Conti ransomware codebase. It targets Windows environments...

Gunra Ransomware: Conti-Derived Double-Extortion Threat Targeting Global Critical Sectors
i can't believe we're still dealing with this nonsense.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

  1. what do you know about Gunra ransomware ?
  2. What are the known initial infection vectors or delivery methods used by Gunra ransomware (e[.]g., phishing, RDP brute force, exploit kits)?
  3. Are there any known threat actor groups or intrusion sets linked to Gunra ransomware based on TTP overlaps or shared infrastructure?

Are you ready to level up your skillset? Get Started Here!


Suggested Pivot

How can endpoint telemetry, network traffic analysis, and victim interviews be systematically used to evaluate the effectiveness of current mitigation strategies (e.g., EDR deployment, network segmentation, phishing training) against Gunra ransomware across its targeted sectors and countries, and what gaps remain in these defenses?


TL;DR

Key Points

    • Gunra ransomware, first observed in April 2025, leverages Conti codebase and advanced double-extortion tactics.
    • Organizations in Japan, Egypt, Panama, Italy, and Argentina—especially in manufacturing, pharmaceuticals, real estate, and critical infrastructure—are primary targets.
    • Initial access vectors are not definitively known but likely include phishing, vulnerability exploitation, and credential theft.
    • Defenders should prioritize detection of suspicious process creation, shadow copy deletion, and Tor-based negotiation traffic.
    • Gunra employs sophisticated evasion, privilege escalation, and anti-recovery techniques, including process injection, WMI abuse, and anti-debugging.
    • Key indicators include "gunraransome.exe" process, ".ENCRT" file extensions, "R3ADM3.txt" ransom notes, and outbound Tor connections.
    • No direct links to other APTs or aliases have been established, but TTPs closely mirror Conti, LockBit, and Black Basta.
    • Detection and mitigation require EDR deployment, network segmentation, immutable backups, and user training.
    • Short-term forecasts predict rapid campaign expansion, enhanced evasion, and automation of extortion portals; long-term, expect modularization, AI-driven evasion, and sector diversification.
    • Defensive posture must adapt to evolving TTPs and increased regulatory/law enforcement pressure.

Executive Summary

Gunra ransomware is a newly emerged, highly sophisticated double-extortion threat, first detected in April 2025 and attributed to a financially motivated group leveraging the Conti ransomware codebase. It targets Windows environments across multiple global sectors, with a focus on manufacturing, pharmaceuticals, real estate, and critical infrastructure in Japan, Egypt, Panama, Italy, and Argentina. Gunra’s infection chain is speculative but likely involves phishing, exploitation of vulnerabilities, and credential theft, consistent with recent ransomware trends.

Technically, Gunra exhibits advanced evasion and impact techniques: it launches as "gunraransome.exe," enumerates and encrypts targeted files (appending ".ENCRT"), deletes shadow copies via WMI to inhibit recovery, and drops ransom notes ("R3ADM3.txt") in every directory. It uses anti-debugging, process injection, and privilege escalation to bypass defenses, and exfiltrates data for double-extortion via Tor-based negotiation portals.

Detection strategies should focus on process and file monitoring, shadow copy deletion commands, ransom note creation, and Tor network traffic. Mitigation requires robust EDR solutions, strict privilege management, network segmentation, immutable offline backups, DNS/Tor filtering, and comprehensive user training. Sigma rules and IOCs (e.g., file hashes, ransom note names, Tor domains) are available for operational defense.

Forecasts indicate Gunra will rapidly evolve, adopting fileless and AI-driven evasion, modular payloads, and expanded sector targeting. Defensive strategies must anticipate automation in extortion, increased zero-day exploitation, and potential collaboration with other ransomware or APT groups. Continuous intelligence collection, technical monitoring, and adaptive incident response are critical to countering this emerging threat.


Research & Attribution

Historical Context

Gunra ransomware is a newly emerged strain first identified in April 2025. It is part of the modern wave of ransomware families employing double-extortion tactics—encrypting victim data while simultaneously exfiltrating sensitive information to increase pressure for ransom payment. Gunra is based on the Conti ransomware codebase, inheriting many of its sophisticated techniques and operational methods. It has rapidly gained attention due to its advanced evasion capabilities and global targeting of multiple industries.

Timeline

  • April 2025: Gunra ransomware first observed in active campaigns.
  • April–May 2025: Rapid spread targeting organizations in Japan, Egypt, Panama, Italy, and Argentina.
  • May 2025: Public technical analyses and detection rules published by cybersecurity firms such as CYFIRMA and SOC Prime.

Origin

Gunra ransomware is attributed to a financially motivated cybercriminal group leveraging Conti ransomware code. It targets Windows systems and operates a Tor-based extortion portal for ransom negotiations, using double-extortion tactics to maximize financial gain.

Countries Targeted

  1. Japan – Documented victim organizations targeted by Gunra ransomware.
  2. Egypt – Victims reported in manufacturing and pharmaceutical sectors.
  3. Panama – Part of the global footprint of Gunra ransomware attacks.
  4. Italy – Targeted in sectors such as real estate and manufacturing.
  5. Argentina – Victim organizations affected by Gunra ransomware campaigns.

Sectors Targeted

  1. Manufacturing – Frequently targeted for disruption and ransom.
  2. Pharmaceuticals – Targeted for sensitive data exfiltration and encryption.
  3. Real Estate – Victims include companies in this sector globally.
  4. Critical Infrastructure – Targeted due to high impact potential.
  5. Various Enterprises – Other sectors affected by Gunra ransomware.

Motivation

Gunra ransomware operators are financially motivated, employing double-extortion tactics to maximize ransom payments by encrypting victim files and exfiltrating sensitive data, threatening public release if demands are not met.

Attack Types and Infection Chain

Initial Access

The exact initial access vector for Gunra ransomware remains unknown due to its recent discovery and limited public data. However, based on typical ransomware trends and CYFIRMA intelligence, initial access is likely achieved through:

  • Phishing emails with malicious attachments or links
  • Exploitation of software vulnerabilities
  • Use of stolen or compromised credentials
  • Possibly through loaders or web shells deployed post-compromise

Technical Characteristics and TTPs

  • Execution begins with the creation of a process named "gunraransome.exe" visible in Task Manager.
  • Enumerates running processes and system files using Windows APIs (FindNextFileExW) to identify target files (.docx, .pdf, .xls, .jpg).
  • Uses anti-debugging techniques via the IsDebuggerPresent API to detect and evade analysis.
  • Manipulates processes using GetCurrentProcess and TerminateProcess for privilege escalation and to disable security tools.
  • Deletes Volume Shadow Copies using Windows Management Instrumentation (WMI) to prevent recovery.
  • Encrypts files with strong encryption algorithms (specific algorithms not publicly detailed) and appends ".ENCRT" extension.
  • Drops ransom notes named "R3ADM3.txt" in every encrypted directory.
  • Exfiltrates sensitive data to attacker-controlled infrastructure.
  • Negotiations occur via Tor-based portals styled like messaging apps, with roles such as "Manager" assigned to operators.

MITRE ATT&CK Techniques (Top 15 Relevant)

  • Execution: T1047 (Windows Management Instrumentation), T1129 (Shared Modules)
  • Persistence: T1176 (Software Extensions), T1542.003 (Bootkit), T1574.002 (DLL Side-Loading)
  • Privilege Escalation: T1055 (Process Injection), T1548 (Abuse Elevation Control Mechanism)
  • Defense Evasion: T1014 (Rootkit), T1027 (Obfuscated Files or Information), T1036 (Masquerading), T1564.001 (Hidden Files and Directories)
  • Credential Access: T1003 (OS Credential Dumping), T1555.003 (Credentials from Web Browsers)
  • Discovery: T1057 (Process Discovery), T1082 (System Information Discovery)
  • Impact: T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery)

Known Aliases

No definitive or widely recognized aliases for Gunra ransomware have been identified by major threat intelligence providers. Gunra appears to be a newly emerged ransomware strain without alternative names or aliases in major CTI sources.

Similar Threat Actor Groups

  1. Conti Ransomware Group
    • Gunra ransomware is based on Conti ransomware code and shares similar double-extortion tactics and advanced evasion techniques.
  2. Other Double-Extortion Ransomware Groups (e.g., LockBit, Black Basta)
    • Similar use of data encryption combined with data exfiltration and extortion.

Breaches Involving This Threat Actor

No publicly reported specific breach incidents involving Gunra ransomware have been documented in open-source news within the past year. However, victimology includes organizations in Japan, Egypt, Panama, Italy, and Argentina across multiple sectors.

Detection and Mitigation Strategies

Detection

  • Monitor for processes named "gunraransome.exe" or similar suspicious executables.
  • Detect file encryption activities appending ".ENCRT" extensions.
  • Alert on deletion of shadow copies via WMI commands (e.g., powershell.exe, wmic.exe, vssadmin.exe with shadow copy deletion commands).
  • Detect use of IsDebuggerPresent API calls and process manipulation functions (GetCurrentProcess, TerminateProcess).
  • Monitor creation of ransom note files named "R3ADM3.txt" in multiple directories.
  • Monitor network traffic for connections to Tor (.onion) domains associated with ransom negotiation portals.
  • Use Endpoint Detection and Response (EDR) tools to detect abnormal process enumeration, privilege escalation, and code injection.
  • Implement file integrity monitoring to detect unauthorized file changes.

Mitigation

  • Maintain regular, immutable, offline backups and test recovery procedures.
  • Restrict administrative privileges and enforce least privilege principles.
  • Use application whitelisting to prevent unauthorized executables.
  • Segment networks to limit lateral movement.
  • Block access to known malicious domains and Tor exit nodes via firewall and DNS filtering.
  • Monitor and restrict WMI usage to prevent shadow copy deletion.
  • Educate users on phishing and social engineering tactics.
  • Deploy anti-ransomware solutions with behavioral detection capabilities.
  • Immediately isolate infected systems and disconnect from networks upon detection.

Expanded Sigma Rule (Example)

title: Gunra Ransomware Detection - Process, Shadow Copy Deletion, Ransom Note, and Tor Traffic  
id: 12345678-90ab-cdef-1234-567890abcdef  
description: Detects Gunra ransomware activity including process creation, shadow copy deletion, ransom note creation, and Tor network connections  
status: experimental  
author: CYFIRMA  
logsource:  
  product: windows  
  service: sysmon  
detection:  
  selection_process:  
    Image|endswith: '\gunraransome.exe'  
  selection_shadowcopy:  
    Image|endswith:  
      - '\powershell.exe'  
      - '\wmic.exe'  
      - '\vssadmin.exe'  
    CommandLine|contains|all:  
      - 'shadow'  
      - 'delete'  
  selection_ransomnote:  
    TargetFilename|endswith: 'R3ADM3.txt'  
  selection_tor_traffic:  
    DestinationHostname|endswith: '.onion'  
  condition: selection_process or selection_shadowcopy or selection_ransomnote or selection_tor_traffic  
fields:  
  - Image  
  - CommandLine  
  - TargetFilename  
  - DestinationHostname  
level: high  
tags:  
  - ransomware  
  - attack.execution  
  - attack.defense_evasion  
  - attack.impact  
falsepositives:  
  - Legitimate use of shadow copy deletion by administrators  
  - Legitimate creation of text files named R3ADM3.txt  
  - Legitimate Tor traffic in privacy-focused environments  

Indicators of Compromise (IOCs)

  • File Hashes:
    • MD5: 9a7c0adedc4c68760e49274700218507
    • SHA-256: 854e5f77f788bbbe6e224195e115c749172cd12302afca370d4f9e3d53d005fd
  • Ransom Note Filename: R3ADM3.txt
  • Mutexes: Not publicly disclosed
  • Registry Keys: Not publicly disclosed
  • C2 Domains/IPs: Tor-based .onion domains used for ransom negotiation (specific URLs withheld for operational security)
  • Network Indicators: Outbound connections to Tor network addresses for command and control and negotiation.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps..

(Subscribers Only)

Read more