Gunra Ransomware Emerges with New DLS
AhnLab TIP monitors the current ransomware group activities across dark web forums, marketplaces, and other sources. Through the Live View > Dark Web Watch menu, users can track the most active ransomware groups, uncover their collaborations, and gain insights into planned attacks and techniques—enabling user organizations to anticipate threats, prepare defenses, and prevent damage before it occurs.
Figure 1. AhnLab TIP’s Dark Web Watch
During the first half of 2025, many ransomware groups have been actively opening new Dedicated Leak Sites (DLS). The following graph shows new ransomware DLS sites identified by AhnLab from February to June 2025. Among them, the Gunra ransomware group is particularly notable. In April 2025, the Gunra ransomware DLS was newly discovered, and AhnLab analyzed the group’s activities based on this information.
Figure 2. Status of new ransomware DLS collected from February to June 2025
Gunra’s initial activities were identified on April 10, 2025, with its code showing notable similarities to the infamous Conti ransomware. Conti, a Russia-based group active since 2020, gained notoriety for its aggressive tactics and widespread impact. In February 2022, a Ukrainian member of the Conti ransomware group leaked the internal documents and source code in protest after the group released a statement supporting the Russian government. This leak led to the emergence of several new ransomware variants, including Black Basta and Royal, which repurposed Conti’s codebase. Gunra appears to be another group leveraging Conti’s leaked code, but with enhancements focused on speeding up negotiations and refining social engineering tactics. One of Gunra’s most distinctive strategies is its time-based pressure technique, which forces victims to begin negotiations within five days—adding urgency and psychological stress to the attack. Based on this background, this blog post describes the execution flow of Gunra ransomware.
Analysis Information
Gunra ransomware creates a thread with an encryption routine to encrypt files, and it creates the thread based on the number of logical cores in the user’s CPU.
Figure 3. Creating a thread
The created thread uses the RSA public key existing inside the file to generate an RSA key. The generated RSA key is used to create the ChaCha20 key, and the ultimately created ChaCha20 key is used in the file encryption routine as shown in Figures 6 and 7.
Figure 4. Creating an RSA key
Figure 5. Public key existing inside the file
Figure 6. Generating ChaCha20 key
Figure 7. Part of the file encryption routine
Figure 8. Part of the ChaCha20 encryption routine
After all file encryption logic is completed, the cmd command is used to delete the volume shadow copy of the infected PC.
- cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where “ID={GUID of the shadowcopy}” delete
Figure 9. Deleting the volume shadow copy
As shown in Figure 9, Gunra ransomware typically drops a ransom note named “R3ADM3.txt” within encrypted folder, instructing victims to visit the threat actor’s website and submit payment to regain access to their files via decryption, following the standard pattern observed in ransomware.
Figure 10. Ransom note
| Extension of the encrypted file | .ENCRT |
| Folders excluded from infection | tmp, winnt, temp, thumb, $Recycle.Bin, $RECYCLE.BIN, System Volume Information, Boot, Windows, Trend Micro |
| Extensions excluded from infection | .exe, .dll, .lnk, .sys, .msi, .ENCRT |
| Files excluded from infection | R3ADM3.txt, CONTI_LOG.txt |
| Ransom note | R3ADM3.txt |
| Note | If the target drive is C:\, only the C:\Users folder is infected. |
Table 1. Characteristics of Gunra ransomware
As the volume of DLS ransomware samples continues to grow, it poses a serious and escalating threat to both organizations and individual users. To safeguard critical assets and maintain stable operations, it is strongly advised to follow these key security practices:
- Apply the latest security updates for operating systems and software. Enable automatic updates wherever possible.
- Install and maintain security software, ensuring it remains up to date.
- Perform regular backups and store them offline or within a separate network segment.
- Exercise caution when opening links or attachments from unreliable websites or unsolicited emails.
- Use strong, hard-to-guess passwords and enable two-factor authentication (2FA).
Users must backup important data to a separate offsite location from the service network to protect against ransomware, and perform access control to the backup repository and regular recovery training. Beyond simply performing backups, it is essential to strategically ensure the security and recoverability of the backup system.
In addition to routine backups, users must store important data in a separate offsite location disconnected from the service network. Implement strict access controls for backup repositories and conduct regular recovery drills. Simply backing up data is not enough—strategic planning is essential to ensure both the security and recoverability of backup systems in the event of a ransomware attack.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
