Gunra

Gunra is a ransomware family and ransomware-as-a-service (RaaS) operation first observed in 2025 and assessed in multiple reports as Conti-derived. It initially appeared as a Windows-focused locker and later expanded to Linux, with reporting also stating affiliate advertising claimed support for Windows, Linux, ESXi, and NAS across x86 and ARM architectures. Gunra uses a double-extortion model: it encrypts victim files and exfiltrates data for leak-based extortion via Tor-hosted infrastructure. It has been linked to dark web recruitment and operations on forums including RAMP, Rehub, Tierone, and Darkforums, and reporting states it launched an affiliate program in January 2026.

On Windows, Gunra encrypts files and appends the .ENCRT extension, while dropping ransom notes named R3ADM3.txt. The ransom note instructs victims to use Tor and references the onion negotiation portal nsnhzysbntsqdwpys6mhml33muccsvterxewh5rkbmcab7bg2ttevjqd[.]onion. Technical reporting describes a hybrid encryption design using ChaCha20 for file encryption and RSA-4096 to protect per-file key material; Windows samples were reported to generate keys with BCryptGenRandom or CryptGenRandom. The malware enumerates drives A: through Z:, recursively traverses directories, excludes system-critical paths such as C:\Windows and C:\Program Files, excludes extensions including .exe, .dll, and .sys, avoids re-encrypting .ENCRT files, and may store RSA-encrypted per-file key bundles in appended data or separate .keystore files. Additional reported Windows behaviors include process and file enumeration, system information collection, debugger detection via IsDebuggerPresent, shadow copy deletion via WMI, and use of GetCurrentProcess and TerminateProcess.

On Linux, Gunra has been observed as a compact statically linked ELF binary targeting enterprise servers and supporting multiple architectures including x86-64, i386, and ARM. Linux-encrypted files are reported to receive the .GNRA extension, with .keystore files containing RSA-encrypted per-file symmetric keys and encrypted files carrying a footer marked ENCRT. The Linux variant reportedly skips critical directories such as /proc, /bin, /usr, /boot, /dev, /etc, /lib, /lib64, /run, /sbin, /srv, /sys, and /tmp, while targeting locations such as /home, /var, /opt, /root, /mnt, and /media. Reported post-compromise actions include renaming files, deleting logs, modifying PAM, Polkit, sudoers, cron jobs, init scripts, and Bash startup scripts. One report identified a significant cryptographic weakness in the Linux variant: ChaCha20 key material generated via musl-libc rand() seeded with time(), making .GNRA files potentially recoverable by brute-forcing seeds within the encryption time window; this weakness was reported not to affect the Windows variant.

Gunra has been reported affecting organizations globally, including victims in South Korea, Japan, Egypt, Panama, Italy, Argentina, Brazil, Canada, Turkey, Taiwan, and the United States. Sectors explicitly mentioned in reporting include real estate, pharmaceuticals, manufacturing, hospitals, infrastructure, and broader industrial environments. Reporting states Gunra initially targeted companies in South Korea, later claimed more than 20 victims across eight countries, and had 32 confirmed victim organizations by March 9, 2026. One report states Gunra attacked INHA University in South Korea in December 2025 and exfiltrated 650 GB of data. Gunra has also been cited in industrial-sector ransomware tracking and in reporting on extortion-first campaigns.

Operationally, Gunra is described as maintaining centralized oversight through a hosted affiliate panel with functions such as Negotiation, Files, Lock Tool, Handler, and Brand Setting. Reporting states operators directly participate in victim negotiations and that the platform supports white-label branding, allowing affiliates to launch technically related attacks under different ransomware names. Reported ransom demands were in the USD 7 million to USD 10 million range with a five-day payment deadline. High-confidence indicators directly mentioned in the source material include the .ENCRT and .GNRA encrypted-file extensions, ransom note R3ADM3.txt, .keystore artifacts, the ENCRT footer marker, and the onion portal nsnhzysbntsqdwpys6mhml33muccsvterxewh5rkbmcab7bg2ttevjqd[.]onion.