Gunra Ransomware Advisory for Windows

Kaustubh SharmaKaustubh Sharma
4 min read

Overview

Gunra ransomware is a sophisticated threat targeting Windows systems, leveraging rapid, multi-threaded file encryption and systematic deletion of Volume Shadow Copies to maximize impact and hinder recovery. It is derived from the Conti ransomware codebase and is known for targeting user data, appending the .ENCRT extension, and dropping ransom notes named R3ADM3.txt. Gunra avoids encrypting critical system files and directories to maintain system operability but focuses on user data for maximum leverage. The malware is distributed via compromised RDP credentials, unpatched VPNs, and phishing, and has been observed in multiple sectors globally.


Technical Description

  • Encryption: Uses ChaCha20 symmetric encryption with session-specific RSA-2048 keys. Spawns threads equal to CPU logical cores for rapid encryption.

  • File Targeting: Encrypts files in user directories, avoids system files (.exe, .dll, .sys) and directories (Windows, Boot, Recycle.Bin).

  • Shadow Copy Deletion: Executes WMIC commands to delete Volume Shadow Copies, e.g.,
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID={GUID} delete

  • Indicators of Compromise (IoCs):

    • Files with .ENCRT extension

    • Presence of R3ADM3.txt andCONTI_LOG.txt

    • Unusual WMIC.exe and cmd.exe executions for shadow copy deletion

    • High CPU/thread usage by unknown processes

Distribution: Initial access via RDP, VPN, phishing; targets C:\Users on C: drive.


Impact

  • Data Loss: Rapid encryption of user data with little chance of recovery due to shadow copy deletion.

  • Operational Disruption: Potential downtime and loss of access to critical files.

  • Double Extortion: Threat of data leak if ransom is not paid.

  • Recovery Challenges: Reliance on shadow copies is ineffective; only robust, offline, or immutable backups can ensure recovery.

  • Reputational and Financial Damage: Data leaks and downtime can result in regulatory, legal, and financial consequences.


1. Backup & Recovery

  • Implement 3-2-1-1 Backup Strategy:

    • 3 copies of data, 2 different media, 1 offsite, 1 immutable (write-once-read-many).
  • Offline/Immutable Backups:

    • Store at least one backup offline or in immutable storage (e.g., cloud object lock).
  • Test Restores Regularly:

    • Perform regular backup restoration drills to ensure recoverability.
  • Restrict Backup Access:

    • Limit network access to backup repositories; use network segmentation and MFA for backup admin access.

2. System Hardening & Monitoring

  • Patch Management:

    • Apply all OS and application security patches promptly.
  • Disable Unnecessary Services:

    • Especially RDP, unless absolutely required; restrict remote access via VPN with MFA.
  • Restrict WMI and Admin Tools:

    • Limit use of WMIC, PsExec, PowerShell remoting; use AppLocker/WDAC to block unknown executables, especially in user directories.
  • Network Segmentation:

    • Isolate critical servers and restrict lateral movement.
  • Principle of Least Privilege:

    • Remove unnecessary admin rights and unused accounts.

3. Endpoint Protection

  • Enable EDR/AV with Behavioral Detection:

    • Ensure endpoint protection is up-to-date and configured for ransomware detection.
  • Controlled Folder Access:

    • Enable in Microsoft Defender to block unauthorized file modifications.
  • Attack Surface Reduction (ASR) Rules:

    • Block execution from temp/user directories and prevent process creation from PsExec/WMI.

4. Security Hygiene

  • User Awareness Training:

    • Regular phishing simulations and security training.
  • Credential Security:

    • Enforce strong passwords, MFA, and monitor for credential dumping.
  • Incident Response Plan:

    • Update and test IR playbooks for ransomware scenarios.

5. Detection & Response

  • Monitor for IoCs:

    • .ENCRT files, ransom notes, WMIC shadow copy deletion commands.
  • Implement Detection Rules:

    • Sigma: Detect WMIC shadow copy deletion
    title: WMIC Shadow Copy Deletion
    logsource:
      category: process_creation
      product: windows
    detection:
      selection:
        Image|endswith: 'wmic.exe'
        CommandLine|contains: 'shadowcopy delete'
      condition: selection
    level: high
  • YARA: Detect ransom note artifacts

      rule GunraRansomwareArtifacts {
        strings:
          $note = "R3ADM3.txt" ascii wide nocase
          $ext = ".ENCRT" ascii wide nocase
        condition:
          uint16(0) == 0x5A4D and ($note or $ext)
      }
    

SOC Readiness: Integrate IoCs and rules into SIEM/EDR for alerting and threat hunting.


  • Positive:

    • Significantly reduces risk of successful ransomware attack and data loss.

    • Ensures business continuity and regulatory compliance.

    • Improves overall security posture and incident response readiness.

  • Negative/Considerations:

    • May require investment in backup infrastructure and EDR solutions.

    • Application control and network segmentation may disrupt legacy workflows if not tested thoroughly.

    • Restricting admin tools and services could impact IT operations; phased implementation and testing are advised.

Increased user training and awareness programs require ongoing commitment.


In summary:

Immediate action is required to implement robust, multi-layered defenses against Gunra ransomware. Focus on immutable/offline backups, system hardening, endpoint protection, and continuous monitoring. Regularly test all controls and ensure your incident response plan is up-to-date and actionable.


0
Subscribe to my newsletter

Read articles from Kaustubh Sharma directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Kaustubh Sharma
Kaustubh Sharma