The domestic security corporation Genians announced on the 25th that it has recently confirmed the activities of a new ransomware, "Gunra," targeting both Windows and Linux operating systems. Gunra has been gradually expanding its attack range since its activities were first detected in April.
According to analysis from Genians, it appears that Gunra has reused some of the leaked code from the "Conti" ransomware, which was created by a past Russian hacker organization. Conti became the catalyst for the emergence of several variant ransomwares after its internal source code was made public in 2022.
Gunra utilizes a dual encryption structure whereby it first locks data using the "ChaCha20" algorithm when encrypting files, and then encrypts the symmetric key used at that time with an RSA-2048 public key. This structure makes it extremely difficult for victims to recover files on their own, as only the attackers know the decryption key.
Genians explained that the Windows version of Gunra operates by deleting the volume shadow copies, which are part of the system restore feature, changing user file extensions in bulk, and generating ransom notes (R3adm3.txt) in each folder. The Linux version is implemented with a flexible structure that allows adjustments to the target folder for encryption, file extensions, and encryption ratios through command line arguments.