Gunra ransomware has quickly grown from a new threat into a serious global problem, hitting dozens of organizations in less than a year.
The group behind it is not just encrypting data, but also running a business-like operation that sells access, leaks stolen files, and recruits partners to spread its malware. For defenders, this is not a one-off campaign but a maturing ecosystem that keeps evolving.
First observed in April 2025, Gunra initially targeted five companies in South Korea, drawing attention for the speed and focus of its early attacks.
At that stage, the group relied on a Conti-based ransomware locker, reusing code and techniques from an older, notorious family.
Even then, the attacks showed careful planning, with activity largely aligned to business hours in Asia and concentrated bursts of operator activity in the morning.
This open targeting posture means the potential damage can spread across many sectors, and new brands may emerge that are technically Gunra under a different name, as S2W said in a report shared with Cyber Security News (CSN).
Over time, Gunra pivoted away from using a Conti-based locker and moved fully into a Ransomware as a Service model, where affiliates rent the tools and share profits from each attack.
As the group expanded into this RaaS ecosystem, analysts from S2W documented how activity, which had slowed in late 2025, surged again once new affiliates joined and began running their own campaigns.
Gunra Ransomware Expands RaaS Operations
As of March 9, 2026, a total of 32 victim organizations had been confirmed, showing how quickly the threat scaled once the service model took hold.
S2W’s research notes that Gunra operators run almost all of their activity through dark web forums that allow ransomware-related content.
The group keeps public promotion to a minimum, preferring to post in controlled spaces such as RAMP, Rehub, Tierone, and Darkforums where they recruit affiliates, hire penetration testers, and sell compromised data.
This low profile makes Gunra harder to track, but it also signals a deliberate, long-term strategy instead of quick smash-and-grab attacks.
The wider impact is not limited to a single sector or geography, because Gunra does not enforce strict limits on who its partners can target.
Unlike some RaaS programs that avoid hospitals or critical infrastructure, Gunra’s internal rules do not set separate prohibited industries, and any restrictions on target countries appear to be flexible and tied to the affiliate’s home region.
The move from a Conti-based locker to Gunra’s own ransomware is central to how the group expanded its RaaS operations.
Initially, relying on established Conti code gave the operators a fast way to launch attacks, but it also placed limits on how much they could customize their tools and panel features.
Once they developed their own ransomware and integrated it into a hosted panel, Gunra could control everything from build options to negotiation workflows.
In the RaaS model described by S2W, Gunra provides a web-based panel that affiliates use to manage attacks, track victims, and handle payments.
This panel exposes features such as Negotiation, Files, Lock Tool, Handler, and Brand Setting, giving affiliates a simple dashboard for running their operations.
The operator does not just hand over the tools but directly participates in negotiation with victims, which suggests a central team oversees the most sensitive parts of each extortion.
Gunra’s builder supports both Windows and Linux systems, allowing affiliates to generate payloads that fit their preferred targets.
S2W notes that the Windows builds match earlier samples, while the Linux builds have updated execution parameters, logging, encryption logic, and even changes in parts where cryptographic weaknesses had been found.
These changes show that the group is actively refining its code, closing gaps, and tuning performance based on earlier analysis.
As the RaaS offering matured, Gunra’s dark web presence became more structured. The operators promote their program on forums that specialize in ransomware and data leaks, but they avoid loud marketing and rely on word-of-mouth and private contacts to onboard new partners.
S2W identified at least one user believed to be a Gunra affiliate after that user posted data from the same victim as the core operator, hinting at a growing network of semi-independent actors.
Expanding ecosystem and defender response
Gunra’s internal rules show no strict limits on target industries, which broadens the threat surface for organizations of all sizes.
Prohibited countries, if any, are applied flexibly based on where each affiliate is based, giving partners freedom to pick targets that fit their own comfort zones or regional access.
On top of that, the Brand Setting feature lets affiliates launch attacks under their own ransomware brand, even though the underlying code and infrastructure belong to Gunra.
This white-label model means defenders may encounter new ransomware names that are, in reality, Gunra under the hood, with shared infrastructure and overlapping techniques.
As more affiliates sign up, the ecosystem can quickly spin off multiple brands, each with its own leak site, extortion style, and victim set.
For security teams, this makes attribution harder and raises the risk that a “new” threat is actually an old one in disguise.
S2W recommends that organizations strengthen their visibility into dark web activity, since Gunra operators and affiliates advertise, recruit, and trade stolen data primarily on these forums.
Regular monitoring of ransomware-friendly communities can help detect early signs of interest in a given sector or region, and may reveal when stolen data from a specific organization is being offered for sale.
The report also warns that, because Gunra does not exempt critical sectors, entities like hospitals and infrastructure providers need to maintain heightened vigilance.
Another key recommendation is to track emerging ransomware brands that share technical markers with Gunra, especially when those brands appear suddenly on the dark web without a clear lineage.
Since affiliates can create their own brands through the Gunra panel, defenders should treat new names with suspicion if they show similar behavior, infrastructure, or tooling.
Over time, building a map of these relationships will help responders understand how attacks are linked and who might be operating behind the scenes.
Finally, the S2W report highlights the importance of combining traditional security controls with threat intelligence that focuses on ransomware ecosystems like Gunra.
This means not only patching systems and enforcing strong access controls, but also subscribing to intelligence feeds, engaging in information sharing, and staying current on how RaaS groups evolve their tactics.
By treating Gunra as an ongoing ecosystem rather than a single malware family, organizations can better prepare for the next wave of affiliates and rebranded campaigns.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL | https://s2w.inc/en/resource/detail/10571/5 | S2W Gunra ransomware report resource page |
| URL | https://s2w.inc/en/resource/detail/10572/5 | S2W Gunra ransomware activity and panel analysis |
| URL | https://s2w.inc/en/resource/detail/10573/5 | S2W Gunra ransomware binary and mitigation section |
| URL | https://s2w.inc/en/resource/detail/10574/5 | S2W resource index page related to Gunra |
| URL | https://s2w.inc/en/resource/detail/10575/5 | S2W legal and footer page for Gunra report |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
