Skip to content
Ransomware group

Gunra

Gunra is a Conti-derived ransomware family and ransomware-as-a-service (RaaS) operation first observed in April 2025.

Profile source: Mallory opens in a new tab

Gunra

Family profile

Gunra is a Conti-derived ransomware family and ransomware-as-a-service (RaaS) operation first observed in April 2025. Reporting states it was developed from leaked Conti v2 source code and later evolved from an initial Windows-focused locker into a broader affiliate-driven platform with support for both Windows and Linux payloads; affiliate advertising also claimed support for ESXi, NAS, x86, and ARM targets. Gunra uses a double-extortion model, encrypting files while also exfiltrating data for leak-based extortion via Tor-hosted infrastructure. Multiple sources describe it as impacting organizations globally, including victims in South Korea, Japan, Egypt, Panama, Italy, Argentina, Brazil, Canada, Turkey, Taiwan, and the United States, and affecting sectors such as manufacturing, pharmaceuticals, real estate, hospitals, infrastructure, and other enterprise environments.

On Windows, Gunra encrypts files and appends the .ENCRT extension, drops ransom notes named R3ADM3.txt, and uses a hybrid cryptosystem in which file contents are encrypted with ChaCha20 and per-file key material is protected with RSA-4096. CloudSEK reported the Windows variant generates per-file 32-byte ChaCha20 keys and 12-byte nonces using BCryptGenRandom, embeds an RSA-4096 public key, enumerates drives A: through Z:, recursively encrypts files, excludes system directories such as C:\Windows and C:\Program Files, excludes system-critical extensions including .exe, .dll, and .sys, and can store RSA-encrypted per-file key bundles either appended to encrypted files or in separate .keystore files. The ransom note instructs victims to use Tor and references the onion negotiation portal nsnhzysbntsqdwpys6mhml33muccsvterxewh5rkbmcab7bg2ttevjqd[.]onion. Sources also state Gunra deletes shadow copies, disables backup and antivirus services, enumerates processes and files, collects system information, and uses anti-analysis techniques including debugger detection via IsDebuggerPresent and process manipulation via GetCurrentProcess and TerminateProcess.

Gunra later expanded to Linux, where Trend Micro and other reporting described a compact ELF locker targeting enterprise servers and supporting multiple architectures including x86-64, i386, and ARM. The Linux variant appends the .GNRA extension, creates .keystore files containing RSA-encrypted per-file symmetric keys, and appends a footer marked ENCRT to encrypted files. It traverses filesystems while skipping critical directories such as /proc, /bin, /usr, /boot, /dev, /etc, /lib, /lib64, /run, /sbin, /srv, /sys, and /tmp, while targeting locations such as /home, /var, /opt, /root, /mnt, and /media. Reported post-compromise behavior includes renaming files, deleting logs, modifying PAM, Polkit, sudoers, cron jobs, init scripts, and Bash startup scripts. A significant reported weakness in the Linux variant is flawed cryptography: researchers stated it generates ChaCha20 key material using musl-libc rand() seeded with time(), reducing the effective keyspace enough that .GNRA-encrypted files may be recoverable by brute-forcing candidate seeds within the encryption time window. This weakness was specifically reported not to affect the Windows variant.

Operationally, Gunra is described as a low-profile but growing RaaS ecosystem active on dark web forums including RAMP, Rehub, Tierone, and Darkforums, where it recruits affiliates, hires penetration testers, and sells stolen data. Reporting states the group launched an affiliate program in January 2026 and provides a hosted web panel with functions such as Negotiation, Files, Lock Tool, Handler, and Brand Setting. The platform reportedly supports centralized victim negotiation and white-label branding, allowing affiliates to launch attacks under different ransomware names. Sources note Gunra initially targeted South Korean organizations and later expanded globally, with dozens of claimed or confirmed victims by early 2026. High-confidence indicators and artifacts mentioned in the reporting include the .ENCRT and .GNRA encrypted-file extensions, ransom note R3ADM3.txt, .keystore artifacts, the ENCRT file footer, and the Tor negotiation portal noted above.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Md5

4 total
  • 9a7c0adedc4c68760e49274700218507
  • 7dd26568049fac1b87f676ecfaac9ba0
  • ae6f61c0fc092233abf666643d88d0f3
  • f6664f4e77b7bcc59772cd359fdf271c

Ip

1 total
  • 86.54.28.216

Ransomware.live

Recent claims

All published claims ↗

MITRE ATT&CK

Gunra in ATT&CK

20 distinct techniques

Reporting

Research mentioning Gunra

May 15
Cyber Security News

Gunra Ransomware Expands RaaS Operations After Shifting From Conti-Based Locker

Gunra ransomware has quickly grown from a new threat into a serious global problem, hitting dozens of organizations in less than a year.

Mar 12
Breakglass Intel

Gunra Ransomware's Linux Variant Has a Fatal Flaw: time()-Seeded rand() Makes Encrypted Files Recoverable Without Paying - Breakglass Intelligence - Breakglass Intelligence

TL;DR: Gunra is a Conti-derived RaaS operation that expanded to Linux with a compact 84KB ELF binary targeting enterprise servers.

Feb 11
Cloudsek

Inside Gunra RaaS: From Affiliate Recruitment on the Dark Web to Full Technical Dissection of their Locker | CloudSEK

"On January 15th, 2026, CloudSEK researchers detected the new affiliation program related to Gunra. Gunra is a Ransomware-as-a-Service (RaaS) that was first seen active in May 2025..."

Dec 31
Cyberthrone

New Ransomware Emerged in 2025 – Threat Intel Report

Silent, Gunra, JGroup, IMN Crew, Dire Wolf, DATACARRY, and SatanLock launched leak sites within weeks of each other.

Dec 30
Cyble

Top 10 Threat Actor Trends from 2025 — and What They Signal for 2026

New ransomware groups such as Dire Wolf, Silent Team, DATACARRY, Gunra, and the actor known as “J” relied on data theft and leak-based extortion without deploying ransomware lockers.

Dec 9
Dragos

Dragos Industrial Ransomware Analysis: Q3 2025 | Dragos

“Lower-volume Groups… including … Gunra… recorded 2–4 incidents…”

Nov 4
The Hacker News

Ransomware Defense Using the Wazuh Open Source Platform

The Gunra ransomware is typically used by private cybercriminals to extort money from its victims. It utilizes a double-extortion model that encrypts files and exfiltrates data for publication should its victim fail to pay the ransom. The Gunra ransomware spreads through Windows systems by encrypting files, appending the .ENCRT extension, and leaving ransom notes named R3ADM3.txt. It deletes shadow copies, disables backup and antivirus services to block recovery, and uses Tor networks to hide its operators.

Sep 24
Risky Biz Rss

Risky Bulletin: US raids SIM farm in New York

"Gunra ransomware: ... a new ransomware operation that can target both Windows and Linux environments with double-extortion schemes."

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.