New Gunra Ransomware Targets Windows Systems, Encrypts Files, and Erases Shadow Copies

AhnLab’s Threat Intelligence Platform (TIP) has been instrumental in monitoring ransomware activities across dark web forums and marketplaces.

Through its Live View > Dark Web Watch feature, security teams can track active groups, their collaborations, and emerging attack vectors, allowing organizations to preemptively bolster defenses.

During the first half of 2025, a surge in new Dedicated Leak Sites (DLS) has been observed, with AhnLab identifying several from February to June. Notably, the Gunra ransomware group emerged in April 2025, establishing its DLS and drawing attention due to its sophisticated tactics.

Initial activities were traced back to April 10, 2025, revealing code similarities to the notorious Conti ransomware, a Russia-based operation active since 2020.

Conti’s legacy includes aggressive campaigns that disrupted global entities, but its downfall came in February 2022 when a Ukrainian affiliate leaked internal documents and source code in protest against the group’s pro-Russian stance.

This leak spawned variants like Black Basta and Royal, and Gunra appears to be a derivative, incorporating enhancements such as accelerated negotiation timelines and refined social engineering.

A hallmark of Gunra is its five-day ultimatum for victims to initiate talks, intensifying psychological pressure and expediting extortion.

Technical Breakdown of Gunra’s Encryption

Gunra’s execution flow is engineered for efficiency and stealth, targeting Windows systems by spawning threads aligned with the victim’s CPU logical cores to parallelize file encryption.

It embeds an RSA public key within its binary, which is used to derive session-specific RSA keys.

These, in turn, generate ChaCha20 symmetric keys for rapid, stream-based encryption of files, appending the “.ENCRT” extension while sparing critical system directories like Windows, Boot, and $Recycle.Bin, as well as extensions such as .exe, .dll, and .sys to maintain host operability.

Excluded files include its ransom note “R3ADM3.txt” and “CONTI_LOG.txt,” hinting at its Conti heritage.

The malware confines infection to the C:Users folder if the target drive is C:, strategically focusing on user data for maximum impact.

Post-encryption, Gunra employs a command-line routine via cmd.exe to invoke WMIC.exe, systematically deleting volume shadow copies with commands like “cmd.exe /c C:WindowsSystem32wbemWMIC.exe shadowcopy where “ID={GUID}” delete,” thwarting easy recovery through snapshots.

The ransom note, dropped in affected folders, directs victims to the attackers’ site for decryption negotiations, adhering to classic ransomware patterns but amplified by time-sensitive demands.

Defensive Measures

As DLS-based ransomware proliferates, posing severe risks to enterprises and individuals, proactive security is paramount.

Organizations should prioritize applying the latest patches to operating systems and applications, enabling auto-updates to seal vulnerabilities.

Deploying and updating robust antivirus solutions, conducting offline backups in segregated networks, and practicing recovery drills are essential to counter data loss.

Vigilance against phishing avoiding suspicious links and attachments coupled with strong passwords and two-factor authentication, forms a layered defense.

Beyond basics, strategic backup management involves offsite storage disconnected from primary networks, strict access controls, and regular testing to ensure restorability amid attacks like Gunra’s shadow copy erasure.

By anticipating such threats through tools like AhnLab TIP, entities can mitigate damage and sustain operations.

Indicators of Compromise (IOC)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!