Evolution From Conti Based Locker to RaaS
Gunra ransomware first appeared in April 2025 with targeted attacks against five companies in South Korea. At that stage, the group relied on a ransomware locker built from Conti code. Attack activity was concentrated during Asian business hours, with operators showing bursts of activity in the mornings. However, the group has since shifted away from the Conti based approach and transitioned fully into a Ransomware as a Service model. Under this structure, affiliates rent the tools and infrastructure while sharing profits from each successful attack. Researchers from S2W tracked a surge in campaigns once new affiliates joined the program, reversing a slowdown seen in late 2025.
Scope and Operational Patterns
As of March 2026, researchers have confirmed 32 victim organizations across multiple sectors. The group maintains a deliberately low public profile. Operators conduct nearly all activity through dark web forums such as RAMP, Rehub, Tierone, and Darkforums. These spaces are used to recruit affiliates, hire penetration testers, and sell stolen data. Unlike some ransomware programs that prohibit targeting hospitals or critical infrastructure, Gunra imposes no such restrictions on its partners. This absence of targeting boundaries means the potential for harm spans many industries. Analysts warn that new ransomware brands may emerge that are technically Gunra operating under a different name, making tracking and attribution more difficult for defenders.
Source: Cyber Security News
