Gunra Ransomware Emerges with New DLS
Summary:
The first half of 2025 saw a surge in new ransomware Dedicated Leak Sites (DLS), with the Gunra ransomware group notably emerging as a significant threat and launching a DLS in April. Gunra's initial activities began on April 10, 2025, and its code exhibits strong similarities to the notorious Conti ransomware, indicating it likely leverages Conti's leaked codebase, much like Black Basta and Royal. Gunra differentiates itself with enhanced negotiation speed and refined social engineering tactics, notably employing a five-day time-based psychological pressure technique for victims to initiate negotiations, manufacturing a sense of urgency. Gunra encrypts files using a multi-threaded approach based on the number of CPU logical cores, generating an RSA key from an embedded public key to derive a ChaCha20 key for file encryption, and subsequently deletes volume shadow copies using cmd. It drops a "R3ADM3.txt" ransom note in an encrypted folder, directing victims to a payment website for decryption.
Security Officer Comments:
The emergence of Gunra ransomware underscores the persistent threat of Conti's legacy and the continuous introduction of new ransomware operations. Gunra's adoption of Conti's codebase, coupled with its focus on quicker negotiations and psychological pressure via time limits, represents a concerning trend in ransomware TTPs. This "rebranding" and refinement of existing, proven ransomware attack methodologies highlight the need for organizations to reevaluate their incident response plan, prioritizing comprehensive backup strategies. Beyond routine backups, offsite and air-gapped data storage with strict access controls and regular recovery drills are critical to avoid business disruption in the face of emerging threats in the lucrative ransomware landscape. The continued proliferation of ransomware groups and their DLS reinforces the importance of conducting proactive threat intelligence gathering and threat hunting to better secure organizations.
Suggested Corrections:
IOCs are available here.
ASEC Recommendations:
https://asec.ahnlab.com/en/89206/
The first half of 2025 saw a surge in new ransomware Dedicated Leak Sites (DLS), with the Gunra ransomware group notably emerging as a significant threat and launching a DLS in April. Gunra's initial activities began on April 10, 2025, and its code exhibits strong similarities to the notorious Conti ransomware, indicating it likely leverages Conti's leaked codebase, much like Black Basta and Royal. Gunra differentiates itself with enhanced negotiation speed and refined social engineering tactics, notably employing a five-day time-based psychological pressure technique for victims to initiate negotiations, manufacturing a sense of urgency. Gunra encrypts files using a multi-threaded approach based on the number of CPU logical cores, generating an RSA key from an embedded public key to derive a ChaCha20 key for file encryption, and subsequently deletes volume shadow copies using cmd. It drops a "R3ADM3.txt" ransom note in an encrypted folder, directing victims to a payment website for decryption.
Security Officer Comments:
The emergence of Gunra ransomware underscores the persistent threat of Conti's legacy and the continuous introduction of new ransomware operations. Gunra's adoption of Conti's codebase, coupled with its focus on quicker negotiations and psychological pressure via time limits, represents a concerning trend in ransomware TTPs. This "rebranding" and refinement of existing, proven ransomware attack methodologies highlight the need for organizations to reevaluate their incident response plan, prioritizing comprehensive backup strategies. Beyond routine backups, offsite and air-gapped data storage with strict access controls and regular recovery drills are critical to avoid business disruption in the face of emerging threats in the lucrative ransomware landscape. The continued proliferation of ransomware groups and their DLS reinforces the importance of conducting proactive threat intelligence gathering and threat hunting to better secure organizations.
Suggested Corrections:
IOCs are available here.
ASEC Recommendations:
- Apply the latest security updates for operating systems and software. Enable automatic updates wherever possible.
- Install and maintain security software, ensuring it remains up to date.
- Perform regular backups and store them offline or within a separate network segment.
- Exercise caution when opening links or attachments from unreliable websites or unsolicited emails.
- Use strong, hard-to-guess passwords and enable two-factor authentication (2FA).
https://asec.ahnlab.com/en/89206/