A new ransomware variant named Gunra has been found targeting the Windows operating system. This malicious code uses multi-threaded data encryption combined with the act of removing a system backup to prevent the victim from recovering the data. Gunra was first reported in April 2025 and quickly gained attention due to its technical signature of the Conti group, a group of ransomware attacks that caused large – scale attacks before internal source code leaks.

Optimization of encoding speed and deliberate target selection

As soon as executed, Gunra automatically generates a number of processing streams corresponding to the number of CPU logic cores to speed up the encoding process. Each stream generates its own session key using the publicly available RSA key built into the binary code. From there, the ransomware creates the ChaCha20 key to perform data encryption with maximum performance. Leveraging the CPU architecture allows Gunra to complete encryption significantly faster than traditional single-streaming ransomware, reducing detection time and user response.

While targeting user data, Gunra avoids encoding important folders such as Windows, Boot, System Volume Information. It also excludes.exe,.dll,.lnk files and also those encoded with the.ENCRT extension. In particular, Gunra does not encrypt the blackmail message (R3ADM3.txt) and the log file is called CONTI_LOG.tpt – details hinting at a technical link with the infamous ransomware Conti.

Notes on ransom​

Clear backup, lock recovery path

After encrypting the data, Gunra takes the next step to lock down the chance of recovery. This ransomware removes the system’s Volume Shadow Copy files. Instead of a common command such as vssadmin, it calls Windows Management Instrumentation Command – line (WMIC) directly via cmd.exe, showing the depth of control over the infected machine.

cmd.exe / c C:WindowsSystem32wbemWMIC.exa shadowcopy where "ID={GUID}" delete

This action completely disables Volume Shadow Copy, Windows’ most important internal backup mechanism, which is often used to restore systems in the event of incidents such as ransomware infections. With each WMIC direct call, Gunra ensured that no viable recovery path was left for the victim. When there are no viable options for recovery, the victim is likely to be put on the spot to seriously consider paying the ransom.

Psychological tactics and coding control

Gunra not only encrypts the data, but also attacks the psychological element. After the attack, the victim is asked to visit a website controlled by the attack team to receive payment instructions. The warning was issued with only five days to begin negotiations. This short-term ultimatum puts great pressure on the victim to make decisions under stressful and uncertain conditions. This is a familiar technique used by Conti, LockBit, and BlackCat to psychologically manipulate non-specialized IT departments in emergency situations, in order to quickly force them to make payments before they can reach the professional incident response team.

Not only that, Gunra also implemented controlled encryption to optimize the ransom payment. If you find that the system drive is a C drive, the ransomware will only work in the C:Users folder. This tactic keeps the operating system booting up and running, ensuring that the victim can still read the money and make contact with the attacker.

Warnings and defenses

Gunra showed a new trend in ransomware-as-a-service (RaaS) activity and an explosion of dedicated leak sites in the first half of 2025. Organizations are recommended to:

• Maintain periodic backups, physical or geographic separations
• Limit access to the backup system
• Regular data recovery drill
• Update security systems and endpoints
• Maintain security in email and intranet

The following are some of the Type Identifiers (IOC) Gunra has noted:

Gunra is more than just a ransomware variant. It represents a new attack trend, where malicious code both speeds up encryption and destroys any chance of recovery. In that context, only defensive capabilities are not sufficient, and data recovery and post-attack operational maintenance must become mandatory in all response plans.