A new ransomware strain called Gunra has emerged as a significant threat to Windows systems, leveraging code from the notorious Conti ransomware group to execute sophisticated attacks that encrypt files and eliminate recovery options.
First identified in April 2025, this malware exhibits enhanced capabilities in both encryption techniques and psychological pressure tactics, compelling victims to engage in rapid negotiations within a five-day deadline.
Advanced Encryption Techniques Target System Performance
Gunra ransomware employs a multi-threaded approach that maximizes system resources during the encryption process.
The malware creates encryption threads based on the number of logical CPU cores available, ensuring rapid file encryption across infected systems.
The technical implementation involves a sophisticated two-layer encryption system where an embedded RSA public key generates RSA keys, which subsequently create ChaCha20 encryption keys used for the actual file encryption process.
The ransomware targets user data explicitly while strategically avoiding system-critical files to maintain system operability during the attack.
When targeting the C: drive, Gunra focuses exclusively on the C:\Users folder, preserving system functionality while encrypting personal and business-critical data.
The malware excludes essential system folders, including Windows, Boot, System Volume Information, and security software directories like Trend Micro, from encryption.
Files encrypted by Gunra receive a distinctive mark.ENCRT extension, while the ransomware drops ransom notes named “R3ADM3.txt” in each affected directory.
The malware deliberately avoids encrypting executable files (.exe, .dll), system files (.sys), and its ransom notes to prevent system crashes that could hinder payment negotiations.
Recovery Prevention and System Manipulation
Beyond file encryption, Gunra implements aggressive recovery prevention measures designed to prevent victims from restoring data independently.
The ransomware executes specific Windows Management Instrumentation Command-line (WMIC) commands to systematically delete volume shadow copies, effectively removing Windows’ built-in backup and recovery capabilities.
The command “cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ‘ID={GUID of the shadowcopy}’ delete” demonstrates the malware’s sophisticated understanding of Windows recovery mechanisms.
This targeted deletion ensures victims cannot utilize System Restore or previous file versions to recover encrypted data without paying the ransom.
AhnLab’s Threat Intelligence Platform has identified Gunra as part of a broader trend of ransomware groups establishing new Dedicated Leak Sites (DLS) throughout early 2025.
The group’s connection to leaked Conti source code, released by a Ukrainian member in February 2022, highlights the continuing evolution of ransomware threats built upon previously successful attack frameworks.
Security experts recommend implementing comprehensive backup strategies with offline storage, maintaining updated security software, and conducting regular recovery training to defend against such sophisticated ransomware attacks targeting both individual users and organizational networks.
IOC
- 0339269cef32f7af77ce9700ce7bf2e2
- 3178501218c7edaef82b73ae83cb4d91
- 7dd26568049fac1b87f676ecfaac9ba0
