Ddos 
Image: CYFIRMA
CYFIRMA has released an in-depth analysis of a newly emerging cyber threat: Gunra Ransomware. This report details the ransomware’s sophisticated techniques, its impact on various sectors, and the significant risks it poses to organizations worldwide. Gunra ransomware is a relatively recent threat that targets Windows systems with a combination of advanced encryption and data exfiltration strategies. This “double-extortion” approach is a key characteristic, as the ransomware not only encrypts victims’ files but also threatens to leak stolen data on its Tor-hosted extortion site.
The analysis reveals that Gunra ransomware has cast a wide net, impacting diverse industries across the globe. Sectors such as real estate, pharmaceuticals, and manufacturing have all fallen victim to its attacks. Companies in Japan, Egypt, Panama, Italy, and Argentina are among those affected.
Gunra employs a range of malicious behaviors to infiltrate and compromise systems. These include:
- Enumerating running processes
- Deleting shadow copies via Windows Management Instrumentation (WMI)
- Retrieving system information
- Detecting debuggers
- Enumerating files
According to the report, Gunra ransomware “employs advanced evasion and anti-analysis techniques used to infect Windows Operating systems while minimizing the risk of detection.” This includes “obfuscation of malicious activity, avoidance of rule-based detection systems, strong encryption methods, ransom demands, and warnings to publish data on underground forums.”Once a system is infected, Gunra ransomware encrypts files and appends the “.ENCRT” extension to the filenames. For example, a file named “document.docx” would become “document.docx.ENCRT”. In each directory where files are encrypted, the ransomware drops a ransom note named “R3ADM3.txt”. This note contains instructions for victims on how to recover their files, which involves paying a ransom. The primary motive behind these attacks is financial gain.
“YOUR ALL DATA HAVE BEEN ENCRYPTED!” it declares, further stating, “We have dumped your sensitive business data and then encrypted your side entire data.” The note pressures victims to act quickly, stating, “You Only Have 5 Days To Contact Us!” It also warns victims against attempting to recover files themselves: “YO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.”
Gunra ransomware incorporates several techniques to evade detection and hinder analysis.
- It uses the Windows API function
IsDebuggerPresentto detect if it is being run under a debugger. - It utilizes
GetCurrentProcessandTerminateProcessfunctions for process manipulation, privilege escalation, and anti-analysis.
CYFIRMA advises organizations to strengthen their cybersecurity posture to defend against Gunra ransomware. Key recommendations include:
- Bolstering phishing defenses
- Monitoring internal network movement
- Implementing robust backup strategies
The emergence of Gunra ransomware underscores the increasing sophistication of cyber threats. As the report concludes, “Gunra ransomware exemplifies the growing sophistication of threats within the cybersecurity landscape, showcasing advanced malicious behaviours aligned with modern ransomware campaigns.”
Donate