Gunra ransomware encryption process

AhnLab’s Threat Intelligence Platform (TIP) has been actively monitoring ransomware activities on dark web forums and marketplaces. Its Live View > Dark Web Watch feature enables security teams to track active groups, their collaborations, and emerging attack vectors, allowing organizations to strengthen their defenses proactively.

Gunra ransomware encryption processGunra ransomware encryption process

In the first half of 2025, a notable increase in Dedicated Leak Sites (DLS) was observed, with the Gunra ransomware group emerging in April 2025. This group has gained attention for its sophisticated tactics and established its DLS during this period.

Gunra ransomware encryption processGunra ransomware encryption process

Initial activities traced back to April 10, 2025, revealed code similarities to the infamous Conti ransomware, a Russia-based operation that disrupted global entities until its downfall in February 2022. Gunra appears to be a derivative of Conti, incorporating enhancements like accelerated negotiation timelines and refined social engineering tactics.