Gunra Ransomware Evolves into a Major RaaS Threat with Global Impact
Since its emergence in April 2025, Gunra ransomware has rapidly transformed from a minor Conti-based operation into a sophisticated Ransomware-as-a-Service (RaaS) threat, expanding its reach across industries. Initially targeting five South Korean companies, the group has since developed its own ransomware payload, distancing itself from its Conti origins.
By March 2026, Gunra had compromised at least 32 organizations, with a notable resurgence in attacks following its shift to a RaaS model. This transition has enabled broader affiliate recruitment, fueling a rise in incidents. While early activity suggested a possible Asian origin given consistent attack windows between 08:00 and 10:00 local time attribution remains inconclusive due to limited data.
Gunra operates discreetly within dark web forums such as RAMP, Rehub, Tierone, and Darkforums, where it recruits affiliates, sells stolen data, and promotes its RaaS program. Unlike many RaaS groups, Gunra affiliates do not publicly disclose their involvement, though shared victim data confirms collaboration. The group’s affiliate panel offers advanced features, including negotiation tools, payload deployment, and brand customization, allowing affiliates to rebrand attacks under different names complicating detection and attribution.
The ransomware supports both Windows and Linux environments, with the Linux variant exhibiting notable modifications in execution, logging, and encryption. Researchers have identified cryptographic weaknesses in the Linux implementation, which could aid defensive efforts. Notably, Gunra imposes no industry or geographic restrictions, increasing the risk of indiscriminate attacks, including those on critical sectors like healthcare.
With its flexible affiliate structure and lack of targeting constraints, Gunra represents a growing threat, capable of launching widespread campaigns under multiple identities. Organizations face heightened risks as the group continues to refine its operations and expand its influence in the cybercrime ecosystem.
Source: https://gbhackers.com/gunra-ransomware-2/
S2W cybersecurity rating report: https://www.rankiteo.com/company/s2winc
Conti Communications cybersecurity rating report: https://www.rankiteo.com/company/conti-communications
"id": "S2WCON1778855087",
"linkid": "s2winc, conti-communications",
"type": "Ransomware",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': 'South Korea'}, {'location': 'Global'}],
'attack_vector': 'Ransomware-as-a-Service (RaaS)',
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_detected': '2025-04',
'description': 'Since its emergence in April 2025, Gunra ransomware has '
'rapidly transformed from a minor Conti-based operation into a '
'sophisticated Ransomware-as-a-Service (RaaS) threat, '
'expanding its reach across industries. Initially targeting '
'five South Korean companies, the group has since developed '
'its own ransomware payload, distancing itself from its Conti '
'origins. By March 2026, Gunra had compromised at least 32 '
'organizations, with a notable resurgence in attacks following '
'its shift to a RaaS model. The group operates discreetly '
'within dark web forums such as RAMP, Rehub, Tierone, and '
'Darkforums, recruiting affiliates, selling stolen data, and '
'promoting its RaaS program. The ransomware supports both '
'Windows and Linux environments and imposes no industry or '
'geographic restrictions, increasing the risk of '
'indiscriminate attacks.',
'impact': {'data_compromised': True, 'systems_affected': ['Windows', 'Linux']},
'initial_access_broker': {'data_sold_on_dark_web': True},
'motivation': 'Financial gain',
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Gunra'},
'references': [{'source': 'Dark web forums (RAMP, Rehub, Tierone, '
'Darkforums)'}],
'threat_actor': 'Gunra ransomware group',
'title': 'Gunra Ransomware Evolves into a Major RaaS Threat with Global '
'Impact',
'type': 'Ransomware'}