
In April 2025, the cyber threat landscape witnessed the emergence of a formidable new adversary—ransomware known as Gunra. Its activity has already been observed across a spectrum of industries, including pharmaceuticals, real estate, and manufacturing. Affected organizations span Japan, Egypt, Panama, Italy, and Argentina, underscoring the ransomware’s expansive geographical reach and global threat profile.
Gunra employs a dual-extortion strategy: it first exfiltrates sensitive data, then proceeds to encrypt files on compromised systems. Should the victim refuse to pay the ransom, the attackers threaten to publicly release the stolen information, exposing corporate secrets to the world.
This approach is designed to maximize the likelihood of ransom payment. All encrypted files are appended with the “.ENCRT” extension, and a ransom note titled R3ADM3.txt is deposited within affected directories. Victims are then directed to a concealed site on the Tor network, designed to resemble a messaging interface where negotiations for data restoration are conducted.
At its core, Gunra is built upon the source code of the infamous Conti ransomware, written in C and C++. However, unlike its predecessor, Gunra employs more adaptive and sophisticated evasion techniques. Immediately upon infection, the malware collects information on active processes, deletes shadow copies via WMI, and scans the system to identify optimal targets. Concurrently, it activates routines to detect debugging tools and forensic analysis environments before injecting its code into trusted processes, thereby securing its foothold within the system.
To locate files for encryption, Gunra uses system calls to search for data bearing extensions such as .docx, .pdf, .jpg, and others—culminating in the complete paralysis of vital information. Simultaneously, the threat of data leakage is leveraged as a psychological weapon: victims are given a five-day deadline, after which the attackers vow to publish the stolen content on underground forums.
The operations of Gunra align closely with the MITRE ATT&CK framework. Its tactics encompass execution via WMI, persistence through bootloader components, privilege escalation through code injection, obfuscation for stealth, and data encryption as the final stage. The attack chain is meticulously structured, complicating both real-time response and post-incident analysis.
According to CYFIRMA, countering such threats necessitates a proactive defense strategy: employing advanced EDR solutions, maintaining regular backups, segmenting network infrastructure, and restricting user privileges. Organizations are also urged to monitor outbound traffic to the Tor network and to bolster employee awareness of phishing tactics to minimize initial compromise vectors.
Given the rapid evolution and operational scale of Gunra, timely threat intelligence and the deployment of preventative controls are essential to safeguarding the resilience of enterprise infrastructure.