ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
Inside the Ecosystem & Operations: Gunra Ransomware Group
2026.05.13

✅ Report Title: Inside the Ecosystem & Operations: Gunra Ransomware Group



✅ Executive Summary:


📌 Who Is the Gunra Ransomware Group?


- Since its first discovery in April 2025, Gunra ransomware has attracted attention by attacking five South Korean companies.


- When Gunra ransomware was first discovered, it utilized Conti-based ransomware. However, after transitioning to a RaaS (Ransomware-as-a-Service) model, the group developed and utilized its own ransomware.


- As of March 9, 2026, a total of 32 companies have been confirmed to have suffered damage from Gunra ransomware.

  - In the second half of 2025, the group's activity level showed a decreasing trend. However, after expanding into the RaaS ecosystem, activity increased again. 


Gunra's DLS

 


📌 Activity Patterns


- Analysis of Gunra Operator activity patterns shows concentrated activity between 08:00 and 10:00.


- While most activity aligns with business hours in Asia, the limited sample size makes it difficult to definitively determine the Operator's actual location or country.


- Gunra operates exclusively on dark web forums where ransomware-related activities are permitted and conducts minimal promotional activities.

  - Gunra is active on dark web forums such as RAMP, Rehub, Tierone, and Darkforums.

  - The group promotes its RaaS program on dark web forums, recruits affiliates and pentesters, and sells compromised data.

  - A user who posted data belonging to the same victim company as the Operator was identified and is presumed to be a Gunra Affiliate.


📌 Other Related Group


- There have been no cases where Gunra's Affiliate directly disclosed their affiliation with Gunra but, there have been cases where Operatior posted data from the same victim company, indirectly indicating that they are an Affiliate of Gunra, which has been confirmed.


📌 Affiliate Infiltration Findings


- Identified the features provided in Gunra's panel.

  - There are no restrictions on target industries in Gunra's internal rules, and prohibited target countries are presumed to be applied flexibly depending on the affiliate's country of origin.

  - It was confirmed that there are functions such as Negotiation, Files, Lock Tool, Handler, and Brand Setting in the panel, and that the Operator directly participates in the negotiation process. 



📌 Binary Analysis


- The builder included in the Gunra panel provides build functionality targeting both Windows and Linux operating systems.


- The Windows version was confirmed to be the same as the sample analyzed in the previous report, while in the Linux version, the execution parameters, log output function, encryption algorithm, and parts with cryptographic vulnerabilities were changed.



✅ Recommended Threat Detection and Mitigation Actions:


- The Gunra ransomware promotes RaaS and recruits affiliates on dark web forums, and sells leaked data of victim companies, so continuous monitoring of the dark web is necessary.


- Unlike other RaaS groups that exclude hospitals or critical infrastructure facilities from their attack targets, Gunra does not set separate prohibited target industries, so greater caution is needed due to the potentially wider scope of damage.


- Gunra ransomware allows affiliates to create and operate under their own brands, so continuous monitoring is recommended as new ransomware groups based on Gunra ransomware may emerge.

 


🧑‍💻 Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request or with a subscription to the S2W platform.


News Highlights
Weekly Darkweb: April 2026, Week 5
2026.05.06
Previous
News Highlights
Weekly Darkweb: May 2026, Week 1
2026.05.13
Next
List