The cybersecurity landscape has recently been disturbed by the emergence of Gunra ransomware, a potent new player leveraging leaked Conti source code to carry out targeted attacks on Windows operating systems. Since its appearance in April 2025 on dark-web leak sites, Gunra has executed swift double-extortion campaigns, pressuring victims into negotiations within mere days, while threatening to expose sensitive data publicly as a means to heighten distress.
"The speed at which Gunra operates is alarming," said a cybersecurity analyst from ASEC. "Victims often find themselves in a race against time, with only five days to make decisions before facing data dumps."
"The speed at which Gunra operates is alarming,"
Unlike previous ransomware that relied on broad tactics, Gunra's operators utilize a more strategic approach. By exploiting stolen Remote Desktop Protocol (RDP) credentials or unpatched virtual private network (VPN) gateways, they infiltrate networks before advancing to critical domain controllers. The method is calculated and deliberate, as evidenced by their choice of infiltration pathways.
Race Results
Race Results
Race Results
After securing an administrative foothold, Gunra can deploy malware swiftly across multiple machines. "In mere minutes, the malware can spread to dozens of devices using tools like PsExec or Group Policy, resulting in simultaneous encryption that paralyzes business operations," explained the ASEC analyst.
"In mere minutes, the malware can spread to dozens of devices using tools like PsExec or Group Policy, resulting in simultaneous encryption that paralyzes business operations,"
Race Results
The effects of Gunra ransomware have already echoed across various industries, with over a dozen enterprises in manufacturing, healthcare, and logistics reporting significant operational disruptions due to the malware's infiltration during its initial three months of activity. "We've never seen a ransomware strain with such an aggressive operational tempo," the analyst added.
"We've never seen a ransomware strain with such an aggressive operational tempo,"
Impact and Legacy
Gunra mirrors the multithreaded functionality of its predecessor, Conti, by spawning encryption threads corresponding to the number of available CPU cores. This issue escalates the level of impact, maximizing data throughput while minimizing the time the malware remains undetected within the system. "The ability to create multiple threads means a quicker and more devastating attack," noted cybersecurity expert Jane Doe.
"The ability to create multiple threads means a quicker and more devastating attack,"
As part of its encryption process, Gunra generates a RSA-2048 key embedded within the malware binary itself, which it uses to derive a ChaCha20 session key for scrambling files. This process leads to files receiving a new extension “.ENCRT,” indicating they are now encrypted. Interestingly, the malware intentionally avoids disrupting executable files, drivers, and system files to maintain operational stability enough for victims to access ransom instructions stored in a written note titled “R3ADM3.txt.”
The final blow from Gunra is the removal of Windows Shadow Copies, a crucial backup tool for many users. The ransomware executes a command that enumerates and deletes all shadow snapshots, with the aim of erasing recovery options for victims who might otherwise restore their data without paying the ransom.
"The surgical precision with which Gunra deletes shadow copies highlights a new level of sophistication," warned another cybersecurity analyst. "This strategy forces victims into a corner, leaving them with fewer options and greater pressure to comply with ransom demands."
"The surgical precision with which Gunra deletes shadow copies highlights a new level of sophistication,"
As the ransomware gains traction, staying ahead of its evolving tactics is critical. Gunra is believed to create a unique mutex at launch, subsequently optimizing its encryption process by assessing the host’s CPU configuration. This enables the malware to run multiple encryption routines concurrently, thereby effectively managing larger data chunks and further complicating detection.
Due to its design, Gunra ensures minimal network traffic, which stymies perimeter-based detection systems. "Because the RSA public key is stored in memory without ever being sent over the network, identifying the attack before backups are compromised is challenging without monitoring specific internal behaviors," explained the analyst.
"Because the RSA public key is stored in memory without ever being sent over the network, identifying the attack before backups are compromised is challenging without monitoring specific internal behaviors,"
To combat the growing threat of Gunra, experts recommend a heightened focus on detecting unusual thread activity and monitoring aggressive shadow-copy deletions. "Endpoint defenses must adapt to recognize these abnormal patterns to prevent falling victim to this rapidly evolving ransomware," advised Jane.
"Endpoint defenses must adapt to recognize these abnormal patterns to prevent falling victim to this rapidly evolving ransomware,"
Looking Ahead
As organizations continue to face waves of ransomware attacks, the launch of Gunra underscores an urgent need for robust cyber defense strategies. Ensuring comprehensive threat detection capabilities and maintaining updated security practices will be essential to thwarting this and similar ransomware threats in the future.
