GUNRA RANSOMWARE: What You Don’t Know!

NOTE: This is a lengthy investigation that eventually took four months. Any future updates of this group would be reflected in this same blog post.

TABLE OF CONTENTS

• EXECUTIVE SUMMARY
• INTRODUCTION
• VICTIMOLOGY
• GUNRA RANSOMWARE GROUP INTEL
• DIVING INTO DATA LEAK SITE (DLS)
• DATA LEAK SITE TIMELINE
• UPDATE – 1
• UPDATE – 2
• UPDATE – 3
• UPDATE – 4
• SAMPLE ANALYSIS INTEL
• DoNoT LOADER USAGE IN GUNRA RANSOMWARE
• NEGOTIATION ANALYSIS
• RANSOM NOTE ANALYSIS
• LEAK ANALYSIS: FOUND MALWARE AMONG VICTIM BREACH
• DETECTION NAME ANALYSIS
• WHY THE UNITED STATES NOT ON THE VICTIM LIST 🇺🇸 ?
• NEGOTIATION PANEL UPDATE
• BACKEND TECHNICALS
• INSIDE CHAT
• PROFILING
• NEW MIRRORS
• GUNRA RAAS PANEL
• BUILD MODE INSEPCTION
• SAMPLE ANALYSIS
• DLS UPDATE
• MITRE ATT&CK TTPs
• IOC

EXECUTIVE SUMMARY

Gunra Ransomware is a Double Extortion Ransomware group that primarily targets global victims, excluding the US, unlike other Ransomware Groups. The group had targeted only a single English-speaking country — Canada so far. They target Windows primarily, and rolled out their Linux counterpart recently, which marks the continuous development.

The group uses Phishing as a main attack vector to deliver malicious pieces to their targets and carry out negotiations on a WhatsApp-themed chat Panel. The group is capable to encrypt huge files (9TB) in a limited timeframe by using advanced stream cipher encryption such as Salsa20 or ChaCha20.

They undergo several changes on their DLS (Data Leak Site) in a short time, hence adopting a hit-and-trial for a wider audience reach. This Research includes the modus operandi of the group and the handy tools used by the group during their operations.

INTRODUCTION

Gunra Ransomware appeared initially on 23rd April 2025. Like other Ransomware Groups, this group lists its victims on their DLS (Data Leak Site). 

They specifically targets Windows Environment (EXE) and also targets ELF (Linux) machines recently. 

VICTIMOLOGY

Surprisingly, not a single US victim has been found (till now). This is a rare situation in the Ransomware Scenario, as the US tops the list in every Ransomware Ecosystem. 

At the time of writing, the group has added 18 victims between April and September 2025. 

Here, the list is topped by South Korea, Brazil, Japan, Canada, UAE, Egypt, and Panama. From the victim list, we can see that only 1 single English-Speaking Nation is targeted i.e. CANADA.

Apart from the above nations: Columbia, Nicaragua, Croatia, Italy are also part of Gunra Victim List.

NOTE: Either the group does not target US entities due to strong extradition policies (if found), or their national interest lies in the US

Sectors targeted by the group are:-

• MANUFACTURING
• HEALTHCARE
• TECHNOLOGY
• SERVICE
• FINANCE

GUNRA RANSOMWARE GROUP INTEL

Here are some of the juicy info uncovered during the Investigation:-

💡Negotiation Portal is stylized with a WhatsApp Theme
💡The negotiation portal is possibly hosted with Slack
💡DLS hosted with Apache/2.4.63 (Win64) PHP/8.4.5
💡Used Lumma Stealer in their operations
💡Demanded $10M, then reduced to $7M
💡Demanded $1M from another victim
💡Access to Internal Files and Office 365 Cloud claimed
💡9TB data encrypted in 2 days, i.e 52 MB/s gets encrypted using Salsa20 or ChaCha20, high-speed stream ciphers capable of throughput

They have used a Microsoft Phishing email to lure the victims, which was obtained directly from the Threat Actor:

Here is the preview of the email:-

Title used: Microsoft account security info verification
Email ID: account-security-noreply@accountprotection.microsoft.com

The email is legit and headers are genuine, and does not poses any risk. However, it can be assumed that the threat actor might have shared a genuine mail instead of a malicious one. 

Upon inquiring about the tool, they have shared a tool titled “GUNRA”

Upon receiving it, I analyzed it and uploaded it to VT, which you can find here. This sample also have the same functionality spotted with the same file-size. 

Gunra Operators are using Bash Upload Service as temporary storage to share their leaks or tools.

DIVING INTO DATA LEAK SITE (DLS)

Gunra hosted their Data Leak Site on Version 3 TOR Domain, powered by Apache/2.4.63 (Win64) PHP/8.4.5.

Unlike other Ransomware DLS, this group had facilitated a Search option by industry to narrow down the Research. This helps to quickly identify the victim by querying the Industry. 

• gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion

The latest victims are listed/advertised with the “NEW” tag. Old victims are listed below.

The “hidden area” highlighted on the DLS is the Client Login Panel, which is guarded by a ClientID that is found in the Ransom Note. 

The victim’s data is being guarded with Client ID before releasing it publicly.

The data is arranged in a structured way:

As this was a revamped site, the DLS of Gunra didn’t look like this earlier. The group had launched its clear web version, which we will look at in the next section. 

Let’s trace back the old DLS of Gunra Group…

DATA LEAK SITE TIMELINE

The group initially appeared in April 2025 with the same TOR Domain. The Gunra Ransomware DLS initially appeared like this:-

The group maintains a WhatsApp-themed Negotiation Portal for the victims to communicate, which can be reached at:-

apdk7hpbbquomgoxbhutegxco6btrz2ara3x2weqnx65tt45ba3sclyd.onion

While inspecting the messages, it is found that the Backend of this Negotiation Chat is connected to another TOR Domain:-

2bw7r32r5eshwk2h7uekj3lwzorxds2jyhyzqyilphid3r27x5hsf4yd.onion

This domain is not reachable directly; however, the messages in the Negotiation Portal were being serviced via this domain. 

In short:-

Negotiation Panel: apdk7hpbbquomgoxbhutegxco6btrz2ara3x2weqnx65tt45ba3sclyd.onion
Negotiation Panel Backend: 2bw7r32r5eshwk2h7uekj3lwzorxds2jyhyzqyilphid3r27x5hsf4yd.onion

It is found that the group is using Slack in the back-end of Victim Conversation:-

UPDATE — 1

In early May 2025, the group had introduced a new Onion Domain, which is dedicated to Clients with a new Client ID, unlike in former times.

On clicking “Contact with ID” it will navigate to the newer domain

jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion

Like the previously decommissioned domain, this domain’s messaging queue was connected to another TOR Domain at the backend. 

r3tkfu3h7sx4k6n7mr7ranuk5godwz7vlgvv2dk2fs2cbma5nailigad.onion

Negotiation Panel: jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion
Negotiation Panel Backend: r3tkfu3h7sx4k6n7mr7ranuk5godwz7vlgvv2dk2fs2cbma5nailigad.onion

The client negotiation panel was guarded using ReCaptcha, which takes a longer time to resolve the captchas to proceed with the Negotiation Access (esp. in TOR).

UPDATE — 2

In mid May 2025, the group had decommissioned old Onion Domain apdk7hpbbquomgoxbhutegxco6btrz2ara3x2weqnx65tt45ba3sclyd.onion and added support of TOX.

UPDATE — 3

In June 2025, the group launched their Data Leak Site on Clear Web with the following address:-

• datapub.news

This website is titled “Public Data Share” by Gunra Group and was registered on 7th June 2025, hosted with BlackHost, resolving to 86.54.28.216 running on Ubuntu Server with nginx as Web Server using PHP/8.4.5. It is registered under AS174 Cogent Communications.

By visiting the website, we can deduce the following email address: a00f105546345756@proton.me

NOTE: The same host was facilitated various Phishing Incidents like AppleJeus from the Lazarus Group 🇰🇵 previously.

Now, we understand from the above data that GUNRA had undergone various revisions on their Data Leak Site to finally settle on the Dark-Themed DLS.

UPDATE — 4

In August, the website was taken down and made offline, though the TOR website remains operational. 

This underlines the fact that upon receiving a formal complaint, Black Host suspends the website, as they are not Bulletproof Service Providers.

UPDATE — 5

On 27th April 2025, the leaks are published on the same server as the DLS is hosted. 

Now, the negotiation portal had been removed, and the leaks are directly available, which indicates the group does not want any more negotiation for the listed victims.

The entire leak is not available as they are selling it for the interested parties, which can be evident from the following line:-

Note: If you want to donwload all this company data, Please Contact US.

There is a typo in the NOTE section, which indicates that the threat actor is a fast typist and ignores to check for typos before publishing the data.

The DLS was titled as “Data Publish” and later “Public Data Share”.

Now, the negotiation portal is being linked to the “Contact US” page in the DLS.

Though the surface web went offline, the TOR Domain remains operational, and all the leaks are hosted within the same DLS.

SAMPLE ANALYSIS INTEL

I have identified 6 Samples of Gunra Ransomware (in total as of now). It is found that the earliest sample is coded on 10th April 2025. The latest sample is found to be compiled on 28th May 2025 (EXE) and 16th July 2025 (ELF). 

Out of 6 samples, 2 are sized at 1.79 MB and rest are 195 KB, 121 KB, 421 KB. 

All the samples are included at the end of this article under the IOC section.

A few artifacts found on the Sample Analysis are:-

📌Gunra is a spin-off from Conti Ransomware, as the code-base is identical
📌Read Me file titled: R3ADM3.txt which was previously used by Conti Group previously
📌Upon infection, all the files are appending the extension “.ENCRT” after data encryption.
💡Initial Access: Spear Phishing Document
💡Traces of Akira Ransomware were also spotted
📌Instructs to erase about (60+) Volume Shadow Copies

📌Data Encryption: Salsa20, ChaCha
📌Data Encoding: XOR, Base64
📌Data Hashing: murmur2
📌Mutex: kjsidugiaadf99439

💡Used this query for Shadow Deletion: (Process #59) wmic.exe executes WMI query: SELECT * FROM Win32_ShadowCopy WHERE ID=’{8FD052FE-440B-4B35-B239-BD9DD042C664}’
💡The same above query used by LockBit 4.0, VanHelsing, Conti, Monti for Shadow Copy Deletion
💡Used Path: D:\wrk\tool\encrypter\x64\Debug\encrypter.pdb

📌All samples use Microsoft Visual C/C++ with Microsoft Linker
💡Linux Sample uses GCC (Debian 14.2.0–17), a recent compiler for Unix-based systems, specifically targeting 64-bit Linux environments, given the GCC 14.2.0 release date
💡ELF64 format for Unix/Linux, specifically AMD64–64 architecture, targeting modern Linux distributions (e.g., Debian, Ubuntu, or similar server OS)
💡2 Executables use LTCG (Link-Time Code Generation), suggesting optimization for performance
💡Console payload: Stripped for evasion (no embedded debug); higher MSVC++ probability suggests core encryption component
💡2 Executables are console-based and stripped to external PDB, suggesting optimized release builds for Windows (likely Windows 10/11 or Server editions)
💡Visual Studio (2019 or 2022) and MSVC++, with versions indicating C++ usage are used

Though the initial samples have a code-overlap with Akira and Conti, the newer versions of Gunra Ransomware is fresh and is not copied from any other known variants.

This is one such example:

MD5: 7dd26568049fac1b87f676ecfaac9ba0

DoNoT LOADER USAGE IN GUNRA RANSOMWARE

While analyzing the code, it is found that Gunra had used various loaders such as Donot Loader’s routine embedded within the ransomware binary.

Behavioral Flow

1. Execution jumps to a new memory region (`0x127000`).
2. Stack is initialized and memory is cleared.
3. Obfuscated values are decoded using XOR.
4. Internal functions are called to:
 — Resolve APIs
 — Allocate memory
 — Possibly decrypt or decompress payload
 — Inject or execute the final stage
5. Payload metadata is written to memory.
6. Execution transitions to the next stage via another jump.

Here you can use this YARA Rule to detect the same in the future:-

rule Embedded_Donot_Loader_Stub_Ransomware
{
    meta:
        author = "THERAVENFILE"
        description = "Detects embedded DONOT loader stub used in GUNRA ransomware"
        version = "1.0"
        date = "2025-07-07"
strings:
        $jmp_transfer = { FF 25 ?? ?? ?? ?? } // jmp to new region (e.g., jmp 0x127000)
        $stack_setup = { 48 81 EC 18 02 00 00 } // sub rsp, 0x218
        $stosd_loop  = { B9 4E 00 00 00 B8 CC CC CC CC F3 AB } // mov ecx + mov eax + rep stosd
        $xor_decode  = { 48 33 C5 } // xor rax, rbp
        $jmp_final   = { E9 ?? ?? ?? ?? } // jmp to final payload
    condition:
        all of them
}

NOTE: The above YARA Rule is created with Co-Pilot as per the fed Instruction Set. Hence, it may contain FPs. Use it by tweaking it as per your Malware Sample Analysis.

If you want to dig a deep-down into Linux Sample, you can find an analysis here by Trend Micro.

During analysis of GUNRA Samples, it is found that some of the samples are mis-tagged as Gunra. Remember the fact that the files with .ENCRT only belongs to Gunra or DLS. No other parameters stand as of now. 

NEGOTIATION ANALYSIS

During Negotiation, the group demanded 13 BTC, $10M and $2M from the victims. From a Colombian Victim, the group initially demanded $20M as ransom, which is unrealistic, but agreed to $70K.

Unrealistic ransom demands mark it as immature operators. This points out the fact that the Threat Actors are over-ambitious.

Here are some of the screenshots with Gunra Group:-

After gaining access, the threat actor conducted Lateral Movement via a custom tool, which they call “GUNRA”.

When asked about the patch…

While investigating other victims, I came across other Chat Rooms in a new URL:-

jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion 

In this, the Post of “Manager” became “Black Manager” as we can see in the above screenshot.

For another client, the following is found:-

Here, the admin has been changed to “redManager”. 

NOTE: This indicates there could be multiple parties assigned for each victim with different color codes.

This dedicated negotiation portal is guarded with Captcha, which is frustrating for the client to log in to their account, after atleast 10 tries of Captcha.

RANSOM NOTE ANALYSIS

Gunra Group drops its Ransom Note on Victim’s machine with a filename titled as: R3ADM3.txt which was previously used by Conti Ransomware Group.

Here is the Ransom Note:-

YOUR ALL DATA HAVE BEEN ENCRYPTED
 We have dumped your sensitive business data and then encrypted your side entire data.
 The only way to decrypt your files is to receive the private key and decryption program.
 To receive the private key and decryption program, you must contact us.
 We guarantee that you can recover all your files safely and easily. But you have not so enough time.
 You can decrypt some of your files for free when you contact us.
 You Only Have 5 Days To Contact Us
 How to contact us
 . Download “Tor Browser” and install it.
 . In the “Tor Browser” open this site here :
 http://apdk7hpbbquomgoxbhutegxco6btrz2ara3x2weqnx65tt45ba3sclyd.onion
 . After signup and login to this site and contact Manger
 You need to contact “Manager” to recover all your data successfully.
 DANGER
 O NOT MODIFY or try to RECOVER any files yourself.We WILL NOT be able to RESTORE them.
 nd also we will publish your data on the dark web if there is no reply from you within 5 days.
 Publish URL: http://gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion/

The Ransom note to a victim is also spotted in Spanish:-

From the ransom note, we can see the group had added a new Clearnet website called: datapub.news, which was registered on 7th June 2025. 

LEAK ANALYSIS: FOUND MALWARE AMONG VICTIM BREACH

While analyzing a leak, a remote connect tool caught my attention with the file name as: Net-Admin-Supporto-Remoto-.ClientSetup.exe (MD5: c07b712a984a506042ea2cf6e193f20c)

Upon submitting the sample to VT, it gave 42 detections which is unusually high for a legitimate Remote Tool.

These are the detections spotted for this tool:-

W32.AIDetectMalware
Win/grayware_confidence_60% (D)
Trojan.Siggen21.26087
A Variant Of Win32/RemoteAdmin.ConnectWiseControl.E Potentially Unsafe
Trojan.Win32.MultiInjector.dd!s1
HackTool/ConnectWiseControl.e
PUA.ScreenConnect
Trojan.Agent.edgo
Unwanted-Program ( 005c6d501 )
Not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen
Trojan.Malware.300983.susgen
Ti!64049E058F34
Static AI - Suspicious PE
BehavesLike.Win32.ConnectWise.tc
Pua:HackTool.Win32.Connectwise.16001881
PUP-IPR
W32/ConnectWise.B.gen!Eldorado
BScope.Riskware.ConnectWise
Riskware.RemoteAdmin!O4vT/8AeK2A
Tool.Convagent.Win32.869

NOTE: KLINGER Italy is a leading manufacturer and marketer of Level Gauges, valves and industrial gaskets

It is found that the sample is ConnectWise. Following, we will see how this piece is malicious

DETECTION NAME ANALYSIS: CONNECTWISE

Malware-Specific Detections
===========================
W32.AIDetectMalware
Trojan.Siggen21.26087
Trojan.Win32.MultiInjector.dd!s1
Trojan.Agent.edgo
Trojan.Malware.300983.susgen
Ti!64049E058F34

These labels from multiple vendors (e.g., BitDefender, DrWeb, Fortinet) point to trojan-like behavior, including payload injection and generic malware signatures. These are not typical of legitimate software.

HackTool and RemoteAdmin Flags
==============================
Static AI - Suspicious PE
BehavesLike.Win32.ConnectWise.tc

These suggest the file exhibits suspicious characteristics in its executable structure or runtime behavior, often associated with malicious modifications.

Potentially Unwanted Program (PUP/PUA)
======================================
PUA.ScreenConnect
Unwanted-Program (005c6d501)
PUP-IPR

These are less severe and could apply to legitimate remote access tools due to their potential for misuse. However, in the context of a leak and alongside Trojan detections, they add to the suspicion.

Grayware and Generic Detections
===============================
Win/grayware_confidence_60% (D)
W32/ConnectWise.B.gen!Eldorado

These indicate the file is flagged as potentially harmful software with moderate confidence, possibly due to obfuscation or behaviors not explicitly tied to a known malware family.

WHY IS THE UNITED STATES NOT ON THE VICTIM LIST 🇺🇸 ?

The group is either from the US or excludes the US from their Victim List. This is evident as most of their targets are from Asia and Europe. 

There could be multiple reasons behind this decision. The group might be well-aware that infecting a US entity would face serious extradition issues in the long run, as long-forgotten Hack Groups/Cyber Crimes got busted from multiple locations in coordinated operations such as EndGame, Talent, Phobos Aetor etc. The group could be geo-located to the US currently, which creates a high alert to get noticed on their Radar. 

By avoiding the US targets, the group might evade a quicker tailing by the FBI or CISA, as the home country is always quicker in action than a foreign law division, as tons of clearance have to be issued before making an extradition policy with the US before pressing the charges. 

NOTE: If they target a US entity in the near future, please excuse my above section as it will be nullified 🙂 

NEGOTIATION PANEL UPDATE

From a Whatsapp Themed Negotiation Panel to a Proper Chat Room has been evident towards the end of 2025 (December 2025). Gunra had announced new Negotiation Portal which is hosted with nginx :-

nsnhzysbntsqdwpys6mhml33muccsvterxewh5rkbmcab7bg2ttevjqd.onion

Upon a deep-scan, it is found that the Negotiation Portal is hosted with WordPress as Heartbeat API is being used which is local to WordPress Ecosystem. 

NOTE: Heartbeat API is a mechanism that uses periodic signals (messages or requests) to monitor the status and ensure the continuous operation and connectivity of a service or component in a computer system; which is ideal for Real Time Chat

Here is the Newest Negotiation Portal of Gunra Ransomware (as of January 2026):-

As evident from the screenshot, the database of the victim is present in the left pane in a drop-down feature to navigate easier. The administrator of the chat is found to be “WHITE HANDLER”. The panel does offers Dark Mode and Light Mode.

By observing previous chatroom analysis, we can see a clear shift of handles like “Manager” to “Handler”. 

Upon digging deep, we found that “Double Tick” is enabled as a notification like messaging platforms. And “Typing” also refers that the group might have modified their previous Whatsapp Themed Negotiation Portal. 

BACKEND TECHNICALS

Upon scanning the Server response following things are observed:-

Key Endpoints:

• /api/messages/unread-count → Polls for unread message counts (efficient caching with frequent 304 Not Modified responses).
• /api/presence/typing/{conversationID} → Handles real-time “typing” indicators in specific conversations (e.g., ID: OL2qV8yxUFUnJencCxFLx).

These features indicate a full-featured anonymous messaging/chat application running on the Dark Web, optimized for low-bandwidth polling over Tor (tiny payloads, ETag caching, plain HTTP as Tor provides encryption). 

INSIDE CHAT

The Group initially aimed for $100K which is absurd for an already-published data. 

Once they claim, they will decrease; the group stick to $100K. But agreed for $38K !

When inquired about the Payment, Gunra mentioned that their group is on break:-

As they mentioned “some hours” this could indicate that the group is in a Sleeping Time zone. This could buy them some time to generate a BTC Wallet. 

A wild guess could be the possibility of pin-pointing to the US or Canada as the current time is 1:05AM (during my Chat Session). 

Surprisingly, the group/moderator had sent the BTC Address within half hour!

Upon summing up the above recorded activities, it is found that the group is more eager to get the payment as the BTC Address (bc1q567hf33wfhe05weqs4ljwhnddt7pe4rjjqypnv) was generated within half hour of the chat.

When queried about Decryptors, Gunra passed the screenshot as a proof of Decryptors via Temp Share.

Checking the timestamp, it is evident that the actor had kept it alive for 3 days, expiring on 10th January 2026. 

This signifies that Gunra is maintaining a Panel with options like Target, Operator and Tool. When queried about the Ransomware Group Size, following answer is :-

During a personal chat, the personal email address has been revealed as:-

6449a3c1e612168526@proton.me

The Chat Operators/affiliate are assigned with Proton Mail addresses with alpha-numerics instead of names, as we have seen another similar email address above. 

Upon asking the infection rate, the moderator replied as:-

On inquiring about the previous victims, the group revealed that SGIC paid the ransom, a Finance firm from South Korea 🇰🇷

When queried about the payment made by SGIC, they had provided a neutral answer:-

From this reply, it can be evident that the group might have received between $700K to $1M or above from SGIC OR the group might be overcharging to workout the pressure tactics.

Currently, there are 4 active victims in the Negotiation Phase of Gunra Group (at the time of session):-

PROFILING

The usage of a conversational dialogues such as:-

“what is your job? you seem to embezzle company funds without your boss’s knowledge.”

and 

“oh, damn it. i’m so tired, so let’s meet again tomorrow.”

This indicates a fluent English Speaker with possible nationalities such as: UK, US, Canada, Ireland, Australia, New Zealand with NO non-native elements present. 

NOTE: Again this doesn’t mean that other countries are excluded, but a higher possibility is aligned to this region by observing past activities. 

The actor maintains a Pressure Tactics for quicker settlement. 

The actor quoted to have put the same on XSS and RAMP forums for selling the database. 

When asked about the Internal Messaging of the group, the actor shared the following screenshot:-

As there is no message from Victim for 24 Hours, the group escalated their pressure tactics to Data Trading on Breach Forums.

On insisting to get the screenshot between the mod and Manager, he forwarded the following conversation from internal chat:-

This signifies the fact that unlike previous “Color Coded Managers” like Red Manager, Black Manager; the term had been assigned to the admin of GUNRA Project and affiliates/mods are assigned with “Color Coded Handlers”, as I had chat with “White Handler”.

Upon further chat, moderator/handler of this group found that the present company is attacked previously.

“i found something interest,
you got infect at 01/2023, now again. right ?”

This shows a pro-activeness in researching their victims for past attacks.

The group uses SendGB Service — An Estonian File Sharing Service to host large leaks internally.

NOTE: SendGB is the mostly used in India, followed by Turkey, Pakistan and the US

NEW MIRRORS

The group had announced 4 new Onion Domains on their DLS recently!

• tgsst34i6z4mwdj2kpigixxb3k3xfz7xhuqnsowvfvyu3snm6nv4s5ad.onion
• myeli53ogsryjg2kob4xqxtwkr5oc5zj7jr5fcfizpytwe566k5thxyd.onion
• 6oeuvb4fq65xlrft2ezxjmkeqnu7oafbsevrr3ocer27wft6ivvhstqd.onion
• ryrw2ojab62yij4y33ssfgvm2d2vwt3tcqetu6qmpwznqhooqxz3wpqd.onion

All these are hosted with Apache/2.4.63 (Win64) PHP/8.4.5

To view the complete IOCs, you may visit here.

UPDATE 1

GUNRA RaaS PANEL

Tammy Harper from Flare helped to provide the Test Panel of Gunra Ransomware, where we get a sneak-peak into their insider panel.

Here is the panel screenshot:

In this, you can see the page is titled as “chloride”. The victims are listed with numeric on the left panel. Each victim has 4 sections namely: Negotiation, Files, Lock Tool and Handler.

• Negotiation: Where Ransomware victims are engaged and Message History can be seen
• Files: Where the data leaks of victims are present
• Lock Tool: Where the affiliate can create builds using the pre-set config of Panel
• Handler: The person who engages with the victim for quick chat

In total, currently GUNRA targets 7 OS Architecture on their Panel:

BUILD MODE INSEPCTION

While inspecting the build, we can see the configuration of builds for both Windows and Linux.

Here is the build sample config for Windows Binary:-

Let’s dive deep into this.

EXTS MODE

This is Extension Mode in RaaS panel that controls how the ransomware binary decides which file types (by their extensions) to target for encryption.

It usually has 2 options:- Include and Exclude

Include mode (“whitelist” mode): The ransomware only encrypts files whose extensions are explicitly listed in the panel’s extensions field and everything else is skipped.

NOTE: This is useful when the attacker wants to focus narrowly on high-value file types (e.g. only .docx, .xlsx, .pdf, .dwg, .sql, etc.) and avoid touching system files, EXEs, or very large media files that could slow down the attack or trigger alerts.

Exclude mode (“blacklist” mode): The ransomware encrypts all files except those whose extensions are listed in the extensions field and the listed extensions are skipped (protected from encryption).

RATIO

This is a configuration parameter that controls intermittent or partial encryption behavior for larger files. It implements a simple encrypt → skip → encrypt → skip pattern across the file’s contents, measured in MB.

This would reduce the work and attain 50% encryption fore each file effectively.

The Ratio value changes for different parameter such as:-

• Ratio = 1 (default): 1 MB encrypt → 1 MB skip → repeat → ~50% encrypted.
• Ratio = 2: 1 MB encrypt → 2 MB skip → repeat → ~33% encrypted (faster, but still very damaging).
• Ratio = 3–5+: Even lower encryption percentage → prioritizes extreme speed (common for targeting massive backup/storage servers or ESXi datastores).
• Ratio = 0: No skip → effectively full encryption for those files (encrypt continuously).

THREADS

This as in OS defines, it handles concurrent worker threads to achieve for encryption (in this context).

Setting it to high numbers such as 30 or 50 would fasten the encryption, but the CPU Usage gets spiked as a resultant.

Lower number of Threads like 4 or 8 would slow down the encryption but attains stealth mode, without quickly notifying any EDRs or AVs.

Option 0: This is often used by Ransomware Operators to let the system detect the config on the fly and assign workers accordingly. This is a smart metrics used by the Group.

LIMIT

This defines a per-file encryption size cap. This option sets to control how much of each file the malware will attempt to encrypt (in GB).

If a file is smaller than the specified limit, the ransomware encrypts the entire file.

If a file is larger than the limit (e.g. 1 GB set and the file size is 50 GB), the ransomware encrypts only the first 1GB.

Here is the config for Linux Environment:

This is an active configuration of a Windows Build

Generally, paths like C:\Windows, C:\Program Files and C:\Program Files (x86) are excluded from getting encrypted.

SAMPLE ANALYSIS

In March 2026, new samples of Gunra had been identified which are Linux Builds. Earlier, the Linux builds were not available as the group only targeted Windows environment.

MD5 Hashes of them are the following:-

• 136e0bf4e5fe4d4249fe9570153a0b97
• b54edbcec7664fde548a7ba1fa8b3b78
• 186c77101c027a465b14cb4a74f8381e
• 182024fc6c5fe0b1b33fdd9c7c37e368

Upon analyzing the sample, it is found that nearly 50% of the codebase does have an exact match with Ngioweb Botnet which was prevalent in 2019.

In another Linux Build of Gunra, largest portion of Codebase got the match with another IoT Botnet Gafgyt which is prevalent since 2014.

In short, it is found that the Windows Build are originally attributed to Gunra itself though it does have code traces to Conti Ransomware. In case of Linux builds, the group had relied on existing IoT botnet source codes such as Gagyft and Ngioweb.

As per the analysis of Break Glass, a fatal flaw discovered in the Cryptographic function of Gunra Ransomware which is quoted as:

Reveals a catastrophic cryptographic weakness: the Linux build generates ChaCha20 key material using musl-libc’s rand() seeded by time(), reducing the entire keyspace to roughly 256 possible values per second of encryption activity. Files encrypted by this variant are recoverable via brute-force without paying.

This might be the reason as the operators are on a hunt to get Linux specialists to their team for building a neat Encryptor, which is advertised on their DLS (in the report below).

DLS UPDATE

In February, the group revamped their website and found new TOR Domain for their leaks

• http://www.lgiil72vkmdtbc3qv4tyq6wedyjxqr2qd4ze7xl2cxgerdnymxj7soqd.onion

The group had removed all the old leaks and fresh data set is present on their DLS, which is hosted their DLS with nginx.

All the leaks are well-organized in a structured way, an easy way to passage through the dataset, though some doesn’t have any. 

Though they list data, there is no Download Option (ATTOW). Only you can see the list of files. This could be stated by the group to give a sense of Data Trading by the group. And remember, there was a default dialog box which mentions about Data Trading of “X” and “X” company while loading their DLS.

They have also updated their new TOX ID in this website which is:-

• 47829AF1C943D4C296C910706923A5199BDA4995B076ED9A9016F7DEF161D445DF00F13E6900

Additionally, also provides support via Session Manager

• 05a6bcfe5d1ebeaf19971cc5217214e6d52200d32fa9d81f9cd2b19a9c82697341

In the “Who We Are” section, the group had showcased following

It is notable that the group chosen to put Biz Chosun Articles — A prominent South Korean professional business news brand and media company. 

In April 2026, the group had launched a dedicated Forum advertised on their DLS with following message:

It is important to note that the group had maintained the same Onion domain for various purposes.

frm.lgiil72vkmdtbc3qv4tyq6wedyjxqr2qd4ze7xl2cxgerdnymxj7soqd.onion

Registration to this forum is activated via TOX ID.

Apart from the Forum, the group had updated a new message for Affiliate Participation

This time, Gunra Ransomware Group had used same domain with different subdomain to keep Negotiation Panel together with DLS and named it as “GUNMS”.

nms.lgiil72vkmdtbc3qv4tyq6wedyjxqr2qd4ze7xl2cxgerdnymxj7soqd.onion

Here, we can assume that NMS stands for Negotiation Management System. 

STAY TUNED FOR MORE UPDATES!!!

MITRE ATT&CK TTPs

After analyzing GUNRA samples, the following techniques are found:-

TA0001: Initial Access
TA0002: Execution
TA0003: Persistence
TA0004: Privilege Escalation
TA0005: Defense Evasion
TA0006: Credential Access
TA0007: Discovery
TA0008: Lateral Movement
TA0009: Collection
TA0010: Exfiltration
TA0011: Command and Control
TA0028: Persistence Mobile
TA0029: Privilege Escalation Mobile
TA0030: Defense Evasion Mobile
TA0031: Credential Access Mobile
TA0033: Lateral Movement
TA0034: Impact
TA0035: Collection
TA0036: Exfiltration
TA0037: Command and Control Mobile
TA0038: Network Effects
TA0039: Remote Service Effects
TA0040: Impact
TA0041: Execution
TA0042: Resource Development
TA0043: Reconnaissance
T1003: OS Credential Dumping
T1005: Data from Local System
T1014: Rootkit
T1055: Process Injection
T1090: Proxy
T1027: Obfuscated Files or Information
 T1027.002: Software Packing
 T1027.005: Indicator Removal from Tools
T1036: Masquerading
T1047: Windows Management Instrumentation
T1057: Process Discovery
T1063: Security Software Discovery
T1071: Applications Layer Protocol
T1081: Credentials in Files
T1082: System Information Discovery
T1083: File and Directory Discovery
T1119: Automated Collection
T1129: Shared Modules
T1143: Hidden Window
T1176: Software Extensions
T1185: Browsers Session Hijacking
T1486: Data Encrypted from Impact
T1490: Inhibit System Recovery
T1496: Resource Hijacking 
T1518: Software Discovery
T1539: Steal Web Session Cookie
T1542: Pre-OS Boot
 T1542.003: Bootkit
T1552: Unsecured Credentials
 T1552.001: Credentials in Files
T1555: Credentials from Password Stores
 T1555.003: Credentials from Web Browsers
T1574: Hijack Execution Flow
 T1574.002: DLL Side-Loading
T1548: Abuse Elevation Control Mechanism
T1564: Hide Artifacts
 T1564.001: Hidden Files and Directories

IOC

TOR DOMAINS
===========
gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion
apdk7hpbbquomgoxbhutegxco6btrz2ara3x2weqnx65tt45ba3sclyd.onion
jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion
vrlgjxbl6yroq26xkcjpafgmmxrlpawvr4agppna6apfxjxav2mq66ad.onion
2bw7r32r5eshwk2h7uekj3lwzorxds2jyhyzqyilphid3r27x5hsf4yd.onion
r3tkfu3h7sx4k6n7mr7ranuk5godwz7vlgvv2dk2fs2cbma5nailigad.onion
nsnhzysbntsqdwpys6mhml33muccsvterxewh5rkbmcab7bg2ttevjqd.onion
tgsst34i6z4mwdj2kpigixxb3k3xfz7xhuqnsowvfvyu3snm6nv4s5ad.onion
myeli53ogsryjg2kob4xqxtwkr5oc5zj7jr5fcfizpytwe566k5thxyd.onion
6oeuvb4fq65xlrft2ezxjmkeqnu7oafbsevrr3ocer27wft6ivvhstqd.onion
ryrw2ojab62yij4y33ssfgvm2d2vwt3tcqetu6qmpwznqhooqxz3wpqd.onion
www.lgiil72vkmdtbc3qv4tyq6wedyjxqr2qd4ze7xl2cxgerdnymxj7soqd.onion
frm.lgiil72vkmdtbc3qv4tyq6wedyjxqr2qd4ze7xl2cxgerdnymxj7soqd.onion
nms.lgiil72vkmdtbc3qv4tyq6wedyjxqr2qd4ze7xl2cxgerdnymxj7soqd.onion

MD5
===
136e0bf4e5fe4d4249fe9570153a0b97
b54edbcec7664fde548a7ba1fa8b3b78
186c77101c027a465b14cb4a74f8381e
182024fc6c5fe0b1b33fdd9c7c37e368
9a7c0adedc4c68760e49274700218507 
7dd26568049fac1b87f676ecfaac9ba0
ae6f61c0fc092233abf666643d88d0f3
f6664f4e77b7bcc59772cd359fdf271c
8d47d8a5d6e25c96c5e7c7505d430684
3178501218c7edaef82b73ae83cb4d91 
94b68826818ffe8ceb88884d644ad4fc 
4c0e74e9f94dff611226cd1619cb1e1d

URLs
=====
https://bashupload.com/0OoOe/tool.7z
https://bashupload.com/FOIGR/email.7z
https://datapub.news

Mail
==== 
ilovemycubscout@gmail.com
a00f105546345756@proton.me
6449a3c1e612168526@proton.me

IP: 86.54.28.216

TOX ID
2507312EC10BB44ED9DAA04E3C5C27E8C13154649B1A02E73ACFAE1681EE0208D05133A8FB22
47829AF1C943D4C296C910706923A5199BDA4995B076ED9A9016F7DEF161D445DF00F13E6900

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings!

NOTE: The article is purely Individual Research and is only associated with THE RAVEN FILE and is not subjected to be used/published anywhere without the Author’s consent.