Gunra Ransomware Emerges with New DLS
During the first half of 2025, many ransomware groups have been actively opening new Dedicated Leak Sites (DLS). The following graph shows new ransomware DLS sites identified by AhnLab from February to June 2025. Among them, the Gunra ransomware group is particularly notable. In April 2025, the Gunra ransomware DLS was newly discovered, and AhnLab analyzed the group’s activities based on this information.
Gunra’s initial activities were identified on April 10, 2025, with its code showing notable similarities to the infamous Conti ransomware. Conti, a Russia-based group active since 2020, gained notoriety for its aggressive tactics and widespread impact. In February 2022, a Ukrainian member of the Conti ransomware group leaked the internal documents and source code in protest after the group released a statement supporting the Russian government. This leak led to the emergence of several new ransomware variants, including Black Basta and Royal, which repurposed Conti’s codebase. Gunra appears to be another group leveraging Conti’s leaked code, but with enhancements focused on speeding up negotiations and refining social engineering tactics. One of Gunra’s most distinctive strategies is its time-based pressure technique, which forces victims to begin negotiations within five days—adding urgency and psychological stress to the attack. Based on this background, this blog post describes the execution flow of Gunra ransomware.