ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Analysis Brief Reports
Gunra Ransomware Report
2025.07.29

✅ Report Title: Overview of Gunra Ransomware Targeting South Korean Financial Institutions



✅ Executive Summary


- In July 2025, South Korean surety insurance provider SGI Seoul Guarantee fell victim to a ransomware attack attributed to the Gunra group.


- The attack led to the disruption of critical systems, resulting in the suspension of loan services and broader operational impact.



📌 What Is Gunra Ransomware?


- Gunra is a ransomware group first identified in April 2025.


- As the group had not been officially named at the time of discovery, security researchers coined the name “Gunra” based on the prefix of its leak site domain.


- The group is also referred to as the “Data Publish” group, named after the title displayed on its leak site.



📌 Key Characteristics of Gunra Ransomware


- Gunra ransomware is built on the source code of Conti v2.


- It employs dummy code for obfuscation and resolves APIs dynamically at runtime.


- All strings are encrypted through custom operations and decrypted during execution using dedicated functions.


- It creates a mutex named “34adfwefadf99439” to prevent multiple instances from running.


- The ransomware uses the GetNativeSystemInfo API to determine the number of CPU cores, then creates twice as many threads to perform encryption tasks concurrently.


- Through the GetLogicalDriveStringsW API, it enumerates all logical drives in the system, scans their directories, and filters files based on exclusion lists (file extensions, filenames, and directories). All remaining files are marked for encryption and processed by the encryption threads.


- Encryption is performed using a combination of ChaCha8 and RSA algorithms.


- The ransomware deletes volume shadow copies using the WMIC command to hinder recovery.


- It includes logic to check whether the currently running process is “Explorer,” likely to determine execution in a user environment.


- The Linux version of Gunra uses the ChaCha20 encryption algorithm, although cryptographic weaknesses have been identified in its implementation.


 

🧑‍💻 Report Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request and for QUAXAR subscribers.


Product
Is It Possible to Trace Crypto Transactions Linked to Cybercrime?
2025.07.28
Previous
News Highlights
Weekly Darkweb in July W4
2025.07.30
Next
List