Gunra

Gunra is an emerging ransomware actor and ransomware-as-a-service (RaaS) operation first observed in April 2025. Reporting describes it as Conti-derived, initially using a Conti-based locker against early South Korean victims before transitioning to its own ransomware and then to a broader affiliate-driven RaaS model. Gunra has been observed recruiting and operating through dark web forums including RAMP, Rehub, Tierone, and Darkforums, and launched an affiliate program on RAMP in January 2026. Its hosted affiliate panel reportedly includes functions such as negotiation, file management, payload generation, handler features, and brand settings, and supports white-label branding that allows affiliates to operate under different ransomware names. Operators are reported to participate directly in victim negotiations, indicating centralized oversight. Gunra has targeted organizations across multiple sectors and regions, with reporting citing victims in South Korea early in its activity and later victims across at least eight countries. Sectors explicitly mentioned include healthcare, education, manufacturing, government agencies, non-profits, hospitals, industrial targets, and infrastructure providers. Reported examples include attacks against a Korean manufacturer, INHA University in South Korea, and the American Hospital in Dubai. One report states Gunra claimed more than 20 victims across Brazil, Japan, Canada, Turkey, South Korea, Taiwan, Egypt, and the United States; another assessed 22 victims between April and December 2025; and S2W reported 32 confirmed victim organizations as of 2026-03-09. Technically, Gunra supports both Windows and Linux payloads, and reporting also states affiliate advertising claimed support for ESXi, NAS, x86, and ARM architectures. Windows variants have been associated with the .ENCRT extension and a ransom note named R3ADM3.txt. Linux variants append the .GNRA extension, create .keystore files, and use a hybrid encryption scheme combining ChaCha20 for file encryption with RSA-4096 protection of per-file keys. Gunra’s Linux ELF payload has been described as a compact static binary targeting enterprise servers and supporting multiple Linux architectures. Reports also describe Linux behavior including filesystem traversal, ransom note deployment, log deletion, and system modifications while skipping critical directories to preserve system usability. A significant reported weakness in the Linux variant is use of musl-libc rand() seeded with time() for ChaCha20 key material generation, making some .GNRA-encrypted files potentially recoverable by brute force; this weakness was not reported for the Windows variant, which uses BCryptGenRandom or CryptGenRandom depending on the source. Gunra is also notable for maintaining a parallel leak and exposed-data ecosystem branded as "public data." Reporting states it hosts victim data on Tor-based infrastructure, organizes exposed files by organization, and has used mirrored Tor and clearnet-accessible sites, private chat portals, reused TOX identifiers, and associated Proton Mail infrastructure. Investigators assessed overlap between Gunra’s malware, leak infrastructure, and communication channels, and noted that its claims that hosted material was merely "public data" conflicted with observed internal databases, identification documents, billing systems, and ransomware-encrypted files. Aliases directly provided in the content are limited to Gunra/gunra. The content also notes that Gunra’s white-label affiliate model can cause technically related campaigns to appear under different ransomware names.