A new and sophisticated cybersecurity threat known as Gunra ransomware has emerged, targeting organizations across the globe. This malware primarily targets Windows systems, employing advanced encryption methods and double-extortion tactics to pressure victims into paying a ransom. The attacks have already impacted several critical sectors, including manufacturing, healthcare, technology, and consumer services. Victims have been reported in countries such as Japan, Egypt, Panama, Italy, and Argentina.
How Gunra Operates
Gunra ransomware, which first emerged in April 2025, is believed to be based on the Conti ransomware source code and is written in C/C++. It employs a double-extortion strategy: not only does it encrypt the victim's files, but it also exfiltrates sensitive data. The attackers then threaten to publish the stolen data if the ransom is not paid. Once it infects a system, the ransomware appends a ".ENCRT" extension to the encrypted files. In every directory, it drops a ransom note named "R3ADM3.txt".
Technical Details and Evasion Tactics
Gunra uses several sophisticated techniques to avoid detection. It deletes shadow copies using Windows Management Instrumentation (WMI), making it difficult to recover files without backups. The malware also uses the IsDebuggerPresent API to detect if it is being analyzed, which hinders reverse-engineering efforts. Furthermore, it can enumerate running processes and retrieve system information to tailor its attack.
The Ransom Note and Demands
The "R3ADM3.txt" ransom note informs victims that their files are encrypted and their sensitive data has been stolen. The attackers give victims a five-day deadline to make contact via a specified .onion site on the Tor network. To prove decryption is possible, they offer to decrypt a few files for free. The note also warns against tampering with the encrypted files, as this could render them unrecoverable. Paying the ransom is strongly advised against, as there is no guarantee the attackers will provide the decryption tools.
Recommendations for Protection
Cybersecurity experts recommend a multi-layered approach to protect against Gunra and similar ransomware. Organizations should regularly back up critical data and store it offline or in a secure, isolated environment. Implementing advanced Endpoint Detection and Response (EDR) solutions can help detect anomalous behaviors like shadow copy deletion or unauthorized file encryption. Other key measures include segmenting networks to limit lateral movement, enabling multi-factor authentication (MFA), and training employees to identify phishing attempts. In the event of an infection, the infected system should be immediately isolated from the network to prevent further spread.