Gunra Ransomware Emerges with New DLS

July 24, 2025, 8:37 p.m.

Description

A new ransomware group called Gunra has emerged with a Dedicated Leak Site (DLS) in April 2025. Gunra's code shows similarities to the infamous Conti ransomware, suggesting it may be leveraging Conti's leaked source code. The group employs aggressive tactics, including a time-based pressure technique that forces victims to begin negotiations within five days. Gunra ransomware encrypts files using a combination of RSA and ChaCha20 algorithms, excludes certain folders and file types from encryption, and drops a ransom note named 'R3ADM3.txt'. The ransomware also deletes volume shadow copies to hinder recovery efforts. As the threat of DLS ransomware grows, organizations are advised to implement robust security measures, including regular updates, backups, and user education.

External References

https://asec.ahnlab.com/en/89206
https://otx.alienvault.com/pulse/688219586599cc75ec92a318
Tags
ransomware
encryption
conti
chacha20
dls
2025-07-24
volume shadow copy
gunra

Date

  • Created: July 24, 2025, 11:30 a.m.
  • Published: July 24, 2025, 11:30 a.m.
  • Modified: July 24, 2025, 8:37 p.m.

Indicators

  • 854e5f77f788bbbe6e224195e115c749172cd12302afca370d4f9e3d53d005fd
  • a82e496b7b5279cb6b93393ec167dd3f50aff1557366784b25f9e51cb23689d9
  • 6d25d5c988a8cda3837dff5f294cbc25c97aea48dde1a74cba71a2439cab0a11
Download all indicators here!

Attack Patterns

  • Gunra
  • Conti - S0575
  • Royal - S1073
  • Black Basta - S1070
  • Gunra