Gunra Ransomware (Conti Variant) Targets Windows Systems with Aggressive Encryption & Shadow Copy Deletion

Credited by Pixabay

VTA-004527 – Gunra Ransomware (Conti Variant) Targets Windows Systems with Aggressive Encryption & Shadow Copy Deletion

The newly identified Gunra ransomware, a derivative of the notorious Conti malware, is actively targeting Windows systems through a sophisticated attack chain that begins with initial access via phishing or exploited vulnerabilities

The Gunra ransomware executes multiple encryption threads matching CPU cores for efficiency, using embedded RSA keys to generate ChaCha20 session keys that encrypt files (appending .ENCRT) while sparing critical system folders. It deletes Volume Shadow Copies via WMIC (cmd.exe /c wmic shadowcopy delete) to prevent recovery, issues a 5-day ultimatum on its leak site, and drops ransom notes (R3ADM3.txt) and logs (CONTI_LOG.txt) as IOCs.

To defend against Gunra, promptly isolate infected systems and restore data using verified offline backups. Apply necessary security patches, disable WMIC and vssadmin through Group Policy, and deploy endpoint detection and response (EDR) tools to identify encryption behavior. Educate employees on phishing threats and actively monitor the dark web for potential data leaks.

Severity:
Medium

Attack Surface:
Database, Endpoint, Storage

Tactics:
Impact, Lateral Movement, Persistence

Techniques:
T1486 – Data Encrypted for Impact
T1490 – Inhibit System Recovery
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1027 – Obfuscated Files or Information

Indicator of Compromise :
1. https://otx.alienvault.com/pulse/688671110a4360ecb6c0ea69

References:
1. https://asec.ahnlab.com/en/89206/

SuperPRO’s Threat Countermeasures Procedures:
1. Immediately scan for and quarantine files with .ENCRT extensions, R3ADM3.txt ransom notes, or WMIC.exe shadowcopy delete commands.
2. Disconnect infected endpoints from networks to prevent lateral movement.
3. Recover encrypted data from offline, immutable backups after validating integrity.
4. Apply critical OS and application updates to close exploitation vectors.
5. Disable WMIC.exe and vssadmin.exe via Group Policy unless operationally required.
6. Enable behavioral detection for rapid file encryption or abnormal explorer.exe thread activity.
7. Educate employees on phishing tactics used for initial access.

Contributed by: Anas