Gunra Ransomware Expands RaaS After Conti Locker Shift

The ransomware landscape has long been dominated by a handful of mature families, but the emergence of Gunra signals a new tier of modular threat actors. After debuting in April 2025 with a Conti‑derived payload, the group abandoned the borrowed code in favor of a custom encryptor that runs on both Windows and Linux. This technical diversification, coupled with a dedicated affiliate portal, mirrors the business models of established RaaS outfits like REvil and LockBit, but with a lower profile that makes early detection harder.

Gunra’s affiliate ecosystem is designed for anonymity and flexibility. Operators provide a web‑based dashboard that handles victim negotiation, data exfiltration, and even allows affiliates to re‑brand the ransomware under unique names. Such white‑labeling dilutes threat‑intel signatures, forcing security teams to chase multiple variants that share a common backend. The absence of industry or geographic targeting rules means affiliates can pursue high‑value sectors—including healthcare and critical infrastructure—without internal approval, amplifying the group’s potential impact across the global economy.

Defenders must adapt by monitoring dark‑web forums where Gunra advertises its services and by hardening endpoints against both Windows and Linux payloads. Enhanced EDR rules that flag the specific encryption routines identified in the Linux variant can provide an early warning, while robust backup strategies remain essential to mitigate ransom pressure. As Gunra continues to recruit affiliates and refine its toolkit, organizations that invest in proactive threat‑hunting and incident‑response planning will be better positioned to neutralize this evolving RaaS threat.