Gunra ransomware is rapidly evolving into a more structured and dangerous cybercrime operation after shifting from a Conti-based locker to its own Ransomware-as-a-Service (RaaS) model.
First discovered in April 2025, the group initially targeted a small number of victims, but its recent operational changes have significantly increased its reach and impact across industries.
Gunra first drew attention after attacking five companies in South Korea shortly after its emergence. In its early stages, the group relied on a Conti-based ransomware variant, indicating ties to previously leaked Conti source code that many threat actors have reused.
However, Gunra has since transitioned into a fully independent operation by developing its own ransomware payload.
This shift coincided with the group adopting a RaaS model, allowing affiliates to use its tools in exchange for a share of ransom payments.
As of March 9, 2026, at least 32 organizations have been confirmed as victims of Gunra ransomware attacks.
While activity slowed during the second half of 2025, the move into the RaaS ecosystem has driven a noticeable resurgence in attacks, suggesting successful affiliate recruitment and scaling.
Analysis of S2W research, reveals a consistent activity window between 08:00 and 10:00, aligning with typical business hours in parts of Asia. However, due to limited data, attributing a specific geographic origin remains inconclusive.
Gunra maintains a low public profile and avoids excessive promotion. Instead, it operates within established dark web communities where ransomware activity is normalized. The group has been observed on forums such as RAMP, Rehub, Tierone, and Darkforums.
Within these platforms, Gunra promotes its RaaS program, recruits affiliates and penetration testers, and sells stolen data from compromised organizations.
In at least one case, a user posted data from the same victim as the operator, suggesting coordination and confirming the presence of active affiliates within the ecosystem.
Gunra Ransomware
Unlike many RaaS groups, Gunra affiliates do not publicly declare their association. However, indirect evidence such as shared victim data confirms collaboration between operators and affiliates.
Further insights into Gunra ransomware infrastructure reveal a feature-rich affiliate panel. The platform includes functions for negotiation, file management, payload deployment (lock tool), handler communication, and brand customization.
Notably, Gunra allows affiliates to operate under their own ransomware branding, increasing the likelihood of new variants emerging under different names.
The operator also plays an active role in ransom negotiations, indicating centralized control over critical stages of the attack lifecycle.
The group does not enforce strict rules on target industries. Additionally, restrictions on geographic targets appear flexible and may depend on the affiliate’s location, increasing the risk of widespread and indiscriminate attacks.
Gunra’s ransomware builder supports both Windows and Linux environments, highlighting its capability to target diverse infrastructures.
The Windows variant remains consistent with previously analyzed samples, while the Linux version shows notable modifications.
These include changes to execution parameters, logging functionality, and encryption mechanisms.
Researchers have also identified cryptographic weaknesses in parts of the Linux implementation, which could potentially be leveraged for defensive analysis or decryption efforts.
Mitigations
Security experts recommend heightened vigilance due to Gunra’s expanding RaaS model and lack of targeting restrictions.
- Continuously monitor dark web forums for emerging threats, affiliate recruitment, and leaked data.
- Strengthen endpoint detection and response systems to identify ransomware behaviors early.
- Apply strict access controls and patch management to reduce initial intrusion vectors.
- Prepare incident response plans, including offline backups and recovery strategies.
Unlike other ransomware groups that avoid critical sectors such as healthcare, Gunra imposes no such limitations.
Combined with its flexible affiliate structure, this increases the potential attack surface and overall threat level.
Organizations should also monitor for new ransomware variants, as Gunra’s branding flexibility allows affiliates to launch campaigns under different identities, making detection and attribution more challenging.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
