{"id":39337,"date":"2025-07-26T18:45:14","date_gmt":"2025-07-26T18:45:14","guid":{"rendered":"https:\/\/www.newsbeep.com\/us\/39337\/"},"modified":"2025-07-26T18:45:14","modified_gmt":"2025-07-26T18:45:14","slug":"new-gunra-ransomware-attacking-windows-computers-to-encrypt-files-and-deletes-shadow-copies","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/us\/39337\/","title":{"rendered":"New Gunra Ransomware Attacking Windows Computers to Encrypt Files and Deletes Shadow Copies"},"content":{"rendered":"

\"New<\/a><\/p>\n

The recently uncovered Gunra ransomware is the family to weaponize leaked Conti source code, unleashing rapid-fire double-extortion attacks against Windows endpoints worldwide.<\/p>\n

First seen on dark-web leak sites in April 2025, Gunra moves with blistering speed, pressuring victims to negotiate within five days and threatening public data dumps to multiply the pain.<\/p>\n

Unlike spray-and-pray spam campaigns, the operators favor hands-on intrusion<\/a>, typically breaching networks through stolen RDP credentials or unpatched VPN gateways before pivoting laterally to domain controllers.<\/p>\n


\n\"Google<\/a><\/p>\n

Once administrative footholds are secured, the malware is pushed to dozens of machines in minutes via PsExec or Group Policy, triggering simultaneous encryption that hobbles business operations.<\/p>\n

ASEC analysts noted<\/a> that more than a dozen enterprises across manufacturing, healthcare, and logistics reported interruptions traced to Gunra in its first three months of activity.<\/p>\n

Internally, the strain mirrors Conti\u2019s multithreaded model: it spawns as many encryption threads as there are logical CPU cores, maximizing disk throughput while minimizing dwell time.<\/p>\n

\"\"\/Creating an RSA key (Source \u2013 ASEC)<\/p>\n

Each thread generates an RSA-2048 key embedded in the binary to derive a ChaCha20 session key for file scrambling, then appends the \u201c.ENCRT\u201d extension.<\/p>\n

Crucially, the Trojan skips executable, driver, and system files to preserve OS stability, ensuring victims can still read the ransom note \u201cR3ADM3.txt\u201d left in every directory.<\/p>\n

\"\"\/Deleting the volume shadow copy (Source \u2013 ASEC)<\/p>\n

Gunra\u2019s parting shot is a surgical removal of Windows Shadow Copies. By driving WMI through WMIC, it enumerates every snapshot and deletes them via the following command:-<\/p>\n

cmd.exe \/c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where “ID={GUID}” delete<\/p>\n

Infection Mechanism<\/p>\n

At launch, Gunra creates a unique mutex, then calls GetNativeSystemInfo to size its thread pool.<\/p>\n

\"\"\/Creating a thread (Source \u2013 ASEC)<\/p>\n

If the host sports 16 CPU cores, the malware<\/a> spawns 16 encryption routines, each carving 5 MB file chunks to feed the fn_FileCrypt function that wraps the ChaCha20 rounds shown below:-<\/p>\n

for(int j=8;j>0;j-=2){
\n v7+=v11;
\n v19=((v7^v19)>>16)|((v7^v19)>20)|((v15^v11)<<12);
\n \/* \u2026additional quarter-rounds\u2026 *\/
\n}<\/p>\n

Because the RSA public key is hard-coded and never leaves memory, network traffic remains minimal, preventing perimeter-based detection.<\/p>\n

Endpoint defenses must therefore monitor<\/a> abnormal thread fan-out and aggressive WMIC shadow-copy deletions to spot Gunra before backups vanish.<\/p>\n

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis->\u00a0Try ANY.RUN now<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"The recently uncovered Gunra ransomware is the family to weaponize leaked Conti source code, unleashing rapid-fire double-extortion attacks…\n","protected":false},"author":2,"featured_media":39338,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[46],"tags":[191,74],"class_list":{"0":"post-39337","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-computing","8":"tag-computing","9":"tag-technology"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/posts\/39337","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/comments?post=39337"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/posts\/39337\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/media\/39338"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/media?parent=39337"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/categories?post=39337"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/tags?post=39337"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}