Gunra Ransomware Expands RaaS Operations After Moving Beyond Conti-Based Locker

Gunra ransomware has grown from a newer ransomware threat into a broader ransomware-as-a-service operation with affiliates, a management panel, Windows and Linux payloads, and a dark web recruitment model.

S2W says the group was first identified in April 2025 after attacks against five South Korean companies. Early Gunra activity used a Conti-based ransomware locker, but the operators later developed their own ransomware and moved into a full RaaS model.

As of March 9, 2026, S2W had confirmed 32 victim organizations linked to Gunra. The number shows how quickly the operation scaled after affiliates joined and began running their own campaigns.

What makes Gunra ransomware different now

Gunra no longer looks like a small ransomware crew relying on borrowed code. The group now operates more like a service provider for cybercriminal affiliates.

Its panel gives affiliates access to functions for negotiation, stolen files, locker creation, attack handling, and brand settings. That last feature matters because it allows affiliates to run attacks under their own names while still using Gunra’s tooling and infrastructure.

This white-label model can make attribution harder for defenders. A newly named ransomware brand may appear to be independent, while the underlying code, panel, or operational workflow may still connect back to Gunra.

Category	Gunra details
First observed	April 2025
Early target region	South Korea
Early locker base	Conti-based ransomware
Current model	Ransomware-as-a-service
Confirmed victims by S2W	32 organizations as of March 9, 2026
Supported platforms	Windows and Linux

From Conti code to a custom ransomware platform

Gunra’s early use of Conti-based code gave the operators a fast way to enter the ransomware scene. Conti’s leaked code and operational ideas have influenced several later ransomware families.

However, relying on older code also limits flexibility. A custom locker gives operators more control over encryption behavior, panel integration, affiliate workflows, and future development.

S2W says Gunra eventually moved away from its Conti-based beginnings and developed its own ransomware. That shift helped the group support a more mature RaaS operation.

How Gunra recruits and operates

Gunra keeps much of its activity inside dark web forums that allow ransomware-related content. S2W says the group has appeared on forums such as RAMP, Rehub, Tierone, and Darkforums.

The operators use these spaces to recruit affiliates, look for penetration testers, advertise access to the program, and sell compromised data. They do not appear to rely on loud public marketing as much as some ransomware groups.

This quieter strategy can make the group harder to track. It also suggests Gunra is trying to build a longer-term criminal ecosystem rather than only running short-lived campaigns.

• Gunra recruits affiliates through ransomware-friendly dark web forums.
• The group has used controlled promotion instead of wide public advertising.
• Affiliates can use a panel to manage victims and ransomware builds.
• The operator can participate directly in negotiation workflows.
• The Brand Setting feature can support rebranded affiliate campaigns.

Gunra’s panel supports affiliate-run attacks

The Gunra panel gives affiliates the tools needed to manage ransomware operations from one place. S2W identified panel features named Negotiation, Files, Lock Tool, Handler, and Brand Setting.

The Negotiation section is especially important because it suggests the core operator may stay involved after affiliates compromise victims. That can help the group standardize pressure tactics and ransom discussions.

The panel also lowers the barrier for affiliates. A criminal with network access or intrusion skills can use Gunra’s tools without needing to build a complete ransomware platform from scratch.

Panel feature	Likely purpose
Negotiation	Manage ransom discussions and victim pressure
Files	Track or manage stolen data tied to victims
Lock Tool	Generate or manage ransomware payloads
Handler	Support operational control of affiliate activity
Brand Setting	Let affiliates operate under separate ransomware names

Linux variant expands Gunra’s reach

Gunra’s move into Linux targeting matters because many high-value systems run Linux. This includes servers, cloud workloads, storage systems, and virtualization environments.

Trend Micro previously reported that Gunra’s Linux variant supports up to 100 encryption threads and lets attackers tune how much of each file gets encrypted. It also supports partial encryption and can store RSA-encrypted key material separately.

These features help ransomware operators encrypt large environments faster and more selectively. They can also help attackers adapt payload behavior to specific targets.

Windows and Linux payload differences

The Windows and Linux versions show Gunra’s push toward cross-platform operations. Windows remains important for corporate endpoints and Active Directory environments, while Linux can give attackers reach into servers and infrastructure.

Trend Micro said Gunra’s Linux variant uses ChaCha20 and RSA for encryption. It appends the .ENCRT extension to encrypted files and can process directories recursively based on runtime arguments.

S2W also noted changes in Linux execution parameters, logging, encryption logic, and areas where earlier cryptographic weaknesses had been found. That suggests active development rather than one-time malware reuse.

Feature	Why it matters
Windows locker	Targets common enterprise endpoint and domain environments
Linux locker	Expands reach to servers, cloud workloads, and infrastructure
Multi-threaded encryption	Helps speed up encryption across large file sets
Partial encryption	Can encrypt files faster while still making them unusable
White-label branding	Lets affiliates create separate ransomware identities

Gunra does not appear to avoid critical sectors

Some ransomware programs publish rules that tell affiliates not to attack hospitals, critical infrastructure, or certain countries. S2W says Gunra’s internal rules do not set strict industry restrictions.

That makes the group more dangerous for a wider range of organizations. Healthcare, manufacturing, finance, public-sector, IT, and infrastructure organizations should not assume they fall outside the group’s target list.

Any country restrictions also appear flexible and may depend on the affiliate’s own location. This gives affiliates more freedom to choose victims based on access, opportunity, and potential payout.

Double extortion remains part of the pressure model

Gunra uses the modern ransomware playbook of encryption plus data theft. Victims face not only operational disruption, but also the threat of leaked files.

That model gives attackers two pressure points. They can demand payment to decrypt systems and demand payment to prevent data publication.

For companies, this means backups alone are not enough. Backups can restore operations, but they do not remove the legal, regulatory, and reputational risks from stolen data.

• Gunra can encrypt Windows and Linux systems.
• The group maintains a data leak site for extortion pressure.
• Affiliates can potentially run campaigns under separate names.
• Stolen data may be sold or leaked on dark web forums.
• Victims may face both downtime and data exposure risks.

Why rebranded ransomware is harder to track

The Brand Setting feature gives Gunra affiliates a way to create separate public identities. That can confuse incident response and threat intelligence teams.

A victim may see a new ransomware name and assume the attack came from an unknown group. In reality, the intrusion may still share Gunra infrastructure, builder behavior, panel features, or encryption logic.

Security teams should avoid relying only on the name shown in a ransom note. They should compare malware behavior, file extensions, leak site patterns, infrastructure, negotiation style, and technical markers.

What defenders should prioritize

Organizations should treat Gunra as an evolving ecosystem, not just a single ransomware binary. That means defenders need controls for intrusion prevention, credential protection, lateral movement detection, data exfiltration, and recovery.

Because Gunra uses affiliates, intrusion methods may vary from case to case. One affiliate may rely on stolen VPN credentials, while another may use exposed remote access services, phishing, or purchased access.

The strongest defense combines patching, identity hardening, endpoint monitoring, network segmentation, dark web intelligence, and tested backups.

1. Patch internet-facing systems, VPNs, firewalls, and remote access tools quickly.
2. Require MFA for remote access, administrator accounts, and cloud consoles.
3. Limit administrator privileges and review inactive accounts.
4. Monitor for unusual data archiving and large outbound transfers.
5. Block unauthorized remote management tools and tunneling services.
6. Deploy EDR controls with tamper protection enabled.
7. Segment servers and backup infrastructure from user networks.
8. Keep offline or immutable backups and test restoration regularly.
9. Track dark web forums for references to company data or sector targeting.
10. Compare new ransomware brands against known Gunra technical markers.

Detection ideas for security teams

Gunra’s RaaS structure means detection should focus on behavior as much as known indicators. Affiliates may use different tools during initial access and lateral movement.

Defenders should watch for suspicious file enumeration, shadow copy deletion, backup tampering, credential dumping, unauthorized archive creation, and encryption behavior across Windows and Linux systems.

Security teams should also monitor for .ENCRT file creation, unexpected ransom notes, sudden changes to file extensions, and unusual Linux encryption activity using high thread counts.

• Unexpected .ENCRT file extensions across shared folders or servers.
• Large file rename bursts from one host or account.
• Shadow copy deletion or backup service tampering.
• Unusual access to many file shares in a short period.
• High-volume archive creation before encryption.
• Linux processes performing recursive file encryption.
• Unexpected connections to Tor or dark web-related infrastructure.
• New ransomware brands with technical overlap to Gunra.

Why Gunra’s growth matters

Gunra’s evolution shows how quickly a ransomware family can become a service-driven criminal platform. The shift from Conti-based code to a custom RaaS model gives the operators more control and gives affiliates more ways to launch attacks.

The group’s lack of strict industry exclusions also expands the risk. Organizations should not assume their sector makes them less attractive to Gunra affiliates.

For defenders, the main lesson is clear: ransomware groups now evolve like software businesses. They recruit users, build panels, support multiple platforms, adjust features, and rebrand through affiliates. Security programs need to track that ecosystem, not only the latest malware sample.

FAQ