Kaspersky recently announced technical analysis results regarding a new ransomware called 'Gunra' that appears to have been used in cyber attacks targeting domestic institutions.
Gunra is a ransomware that started operating in April 2025 and was developed based on the source code of the Conti ransomware leaked in 2022. According to Kaspersky's analysis, about 25% of the entire code is structurally similar to Conti, and key features such as multi-threaded encryption, termination of security services, and network share exploration also appear to be similar.
Gunra uses a hybrid encryption structure that combines ChaCha20 and RSA-2048, and it inserts a 'GRNC' identifier into the encrypted files. The primary targets include high-value industries such as healthcare, insurance, and IT infrastructure, and upon infection, it generates a ransom note (R3ADM3.txt) in each folder to induce access to the negotiation site. It includes threats to disclose information on the dark web if there is no response to the negotiation.
The infection routes include phishing emails, vulnerable virtual private network (VPN) software, and access through exposed Remote Desktop Protocol (RDP), and it was confirmed that in June 2025, the American Hospital in Dubai was affected with more than 40 TB of patient information leaked.
Kaspersky recommends countermeasures including limiting RDP ports and setting up multi-factor authentication, regular backups, applying the latest Yara rules to EDR and NDR solutions, and monitoring logs based on indicators of compromise (IOC).
Lee Hyo-eun, head of Kaspersky's Korean branch, noted, 'Gunra is not just a simple post-Conti threat, but a case showing the evolution of AI-based automated attack systems.' He added, 'The recycling and sophistication of advanced ransomware technology suggest that threats to large institutions and critical industries are likely to intensify in the future.'