Detecting Gunra ransomware with Wazuh

| by | Wazuh 4.13.0
Post icon

Gunra ransomware is a recently identified threat that has been observed targeting Windows endpoints across multiple industries worldwide, including manufacturing and energy sectors. Known for its encryption capabilities and exfiltration tactics, the ransomware follows a double-extortion model, encrypting victim data while simultaneously threatening to leak stolen information on its Tor-hosted leak site. Gunra’s malicious behavior includes enumerating running processes, deleting shadow copies through Windows Management Instrumentation (WMI), gathering system details, and detecting debuggers to evade analysis.

The Gunra ransomware has expanded attacks to healthcare, electronics, and beverage firms. Its new variant appends .encrt to files and drops r3adm3.txt ransom notes, warning victims their data is encrypted and stolen, with leaks threatened in five days. Victims are directed to a Tor-based portal for ransom negotiations, underscoring the group’s double-extortion tactics.

In this blog post, we illustrate how organizations can detect and respond to Gunra ransomware on infected Windows endpoints.

Gunra ransomware behavior

Gunra ransomware exhibits several behaviors when it infects a Windows endpoint. These behaviors include the following:

  • The ransomware drops a ransom note file named “R3ADM3.txt” in every directory where the ransomware encrypts files.
  • It encrypts the victim’s files and appends the extension “.ENCRT” to them. 
  • It deletes available shadow copies using both the Volume Shadow Copy Service (VSS) and Windows Management Instrumentation (WMI) to hinder recovery and restoration from backups.
  • It attempts to stop or disable backup and AV-related services before mass encryption.
  • It communicates via Tor portals to negotiate ransom and hide the attacker’s identity.

Analyzed samples

Hash (SHA256)
a82e496b7b5279cb6b93393ec167dd3f50aff1557366784b25f9e51cb23689d9
854e5f77f788bbbe6e224195e115c749172cd12302afca370d4f9e3d53d005fd

Infrastructure

We use the following infrastructure to demonstrate the detection of Gunra ransomware with Wazuh:

  • A pre-built, ready-to-use Wazuh OVA 4.13.0, which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
  • A Windows 11 victim endpoint with the Wazuh agent 4.13.0 installed and enrolled to the Wazuh server.

Detection with Wazuh

Configuration

We use Sysmon to enhance visibility into system events and create custom detection rules on the Wazuh server to identify the malicious behavior associated with Gunra ransomware.

Windows endpoint

Perform the following steps to configure the Wazuh agent to capture Sysmon events and send them to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Extract the compressed Sysmon file to your preferred directory. 

3. Download the Sysmon configuration file sysmonconfig.xml using PowerShell as an administrator. Replace <SYSMON_EXECUTABLE_PATH> with the directory path to your Sysmon executable.

> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

4. Navigate to the folder containing the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:

> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

5. Add the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf file within the <ossec_config> block to capture and forward Sysmon event logs to the Wazuh server:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

6. Restart the Wazuh agent to apply the configuration changes:

> Restart-Service -Name wazuh

Wazuh dashboard

Perform the following steps on the Wazuh dashboard to configure the Wazuh server for Gunra ransomware detection.

Create custom rules

Perform the steps below on the Wazuh dashboard to create and configure custom rules for processing and monitoring logs generated from the Windows endpoint.

1. Navigate to Server management > Rules.

2. Click + Add new rules file.

Create custom rules

3. Copy and paste the rules below and name the file gunra_ransomware_rules.xml. Click Save.

<group name="gunra,ransomware,">

<!-- Ransom note file creation -->
  <rule id="100601" level="15" timeframe="100" frequency="2"  ignore="100">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.Image" type="pcre2">[^"]+\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">[^"]*R3ADM3\.txt</field>
    <description>Possible Gunra ransomware activity detected: Multiple ransom notes dropped in $(win.eventdata.targetFilename)</description>
    <mitre>
        <id>T1543.003</id>
        <id>T1486</id> 
    </mitre>
  </rule>

<!-- Antimalware Scan Interface Access Modification -->

  <rule id="100602" level="7">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.Image" type="pcre2">C:\\\\Windows\\\\System32\\\\VSSVC\.exe</field>
    <field name="win.eventdata.ImageLoaded" type="pcre2">C:\\\\Windows\\\\System32\\\\amsi\.dll</field>
    <description>Possible ransomware activity detected: Suspicious Volume Shadow copy Service (VSS) loaded amsi.dll for tampering and evasion attempt.</description>
    <mitre>
      <id>T1562</id>
      <id>T1562.001</id>
    </mitre>
  </rule>

  <rule id="100603" level="7">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.Image" type="pcre2">(C:\\\\Windows\\\\SystemApps\\\\Microsoft\.Windows\.AppRep\.ChxApp_cw5n1h2txyewy\\\\CHXSmartScreen\.exe)</field>
    <field name="win.eventdata.ImageLoaded" type="pcre2">C:\\\\Windows\\\\System32\\\\urlmon\.dll</field>
    <description>Possible ransomware activity detected: Urlmon.dll was loaded, indicating network reconnaissance.</description>
    <mitre>
        <id>T1562.001</id>
    </mitre>
  </rule>

<!-- Volume Shadow copy Service (VSS) deletion -->
  <rule id="100604" level="7">
    <if_sid>60103</if_sid>
    <field name="win.eventdata.targetUserName" type="pcre2">Backup Operators</field>
    <field name="win.eventdata.targetSid" type="pcre2">S-1-5-32-551</field>
    <field name="win.eventdata.callerProcessName" type="pcre2">C:\\\\Windows\\\\System32\\\\VSSVC\.exe</field>
    <description>Possible Gunra ransomware activity detected: Volume Shadow copy Service (VSS) deletion attempts, gearing up to disable backups.</description>
    <mitre>
      <id>T1562</id>
      <id>T1562.002</id>
    </mitre>
  </rule>

  <rule id="100605" level="7">
    <if_sid>60103</if_sid>
    <field name="win.eventdata.targetUserName" type="pcre2">Administrators</field>
    <field name="win.eventdata.targetSid" type="pcre2">S-1-5-32-544</field>
    <field name="win.eventdata.callerProcessName" type="pcre2">C:\\\\Windows\\\\System32\\\\VSSVC\.exe</field>
    <description>Possible Gunra ransomware activity detected: Volume Shadow copy Service (VSS) deletion shadow attempts, gearing to disable local admin accounts</description>
    <mitre>
      <id>T1562</id>
      <id>T1562.002</id>
    </mitre>
  </rule>

</group>
gunra-ransomware-rules

Where:

  • Rule ID 100601 is triggered when a Gunra ransomware ransom note R3ADM3.txt is created.
  • Rule ID 100602 is triggered when a suspicious Volume Shadow Copy Service (VSS) loads amsi.dll for tampering and evasion attempts.
  • Rule ID 100603 is triggered when urlmon.dll is loaded, indicating network reconnaissance.
  • Rule ID 100604 is triggered when Volume Shadow Copy Service (VSS) deletion is attempted, gearing up to disable backups.
  • Rule ID 100605 is triggered when Volume Shadow Copy Service (VSS) deletion is attempted, gearing up to local admin accounts.

4. Click Reload to apply the changes.

gunra-ransomware-rules

Detection results

The alerts below are generated on the Wazuh dashboard when Gunra ransomware is executed on a Windows endpoint. Perform the following steps to view the alerts on the Wazuh dashboard.

1. Navigate to Agents management > Summary and select the Windows agent.

2. Click on Threat Hunting and select the Events tab.

3. Click + Add filter. Then filter for rule.groups in the Field field. Select is one of the Operator field. 

4. Add the filters gunra and ransomware in the Values field.

5. Click Save.

Detection alerts generated on the Wazuh dashboard
Figure 1 – Detection alerts generated on the Wazuh dashboard

VirusTotal integration

VirusTotal is a platform that aggregates multiple antivirus products and online scan engines to detect security threats. It provides an API that allows users to query URLs, IP addresses, domains, or file hashes for threat analysis. By integrating VirusTotal with Wazuh, you can configure Wazuh to automatically send file hashes of newly created or modified files on monitored endpoints to the VirusTotal API for real-time threat detection.

For this integration, we configure the Wazuh File Integrity Monitoring(FIM) module and VirusTotal to detect and scan files that are added or modified in specific directories on the Windows endpoint. Additionally, we configured the Wazuh Active Response module to delete the files that VirusTotal identifies as malicious automatically.

Windows endpoint

  1. Add the following configuration within the <syscheck> block in the C:\Program Files (x86)\ossec-agent\ossec.conf file to monitor for changes. In this blog post, we configure the FIM module to monitor the Downloads folder for all users.
<directories realtime="yes">C:\Users\*\Downloads</directories>
  1. Restart the Wazuh agent to apply the changes by running the following PowerShell command as an administrator:
> Restart-Service -Name wazuh

Active Response Python script configuration

We create an active response script to remove any known variant of Gunra ransomware immediately after VirusTotal identifies it as a threat.

  1. Create a Wazuh Active Response script, remove-threat.py, on the Windows endpoint with the following content:
Warning: This script is a proof of concept (PoC). Review and validate it to ensure it meets the operational and security requirements of your environment
# Copyright (C) 2015-2025, Wazuh Inc.
# All rights reserved.

import os
import sys
import json
import datetime
import stat
import tempfile
import pathlib

if os.name == 'nt':
    LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
else:
    LOG_FILE = "/var/ossec/logs/active-responses.log"

ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3

OS_SUCCESS = 0
OS_INVALID = -1

class message:
    def __init__(self):
        self.alert = ""
        self.command = 0

def write_debug_file(ar_name, msg):
    with open(LOG_FILE, mode="a") as log_file:
        log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")

def setup_and_check_message(argv):
    input_str = ""
    for line in sys.stdin:
        input_str = line
        break

    msg_obj = message()
    try:
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        msg_obj.command = OS_INVALID
        return msg_obj

    msg_obj.alert = data
    command = data.get("command")

    if command == "add":
        msg_obj.command = ADD_COMMAND
    elif command == "delete":
        msg_obj.command = DELETE_COMMAND
    else:
        msg_obj.command = OS_INVALID
        write_debug_file(argv[0], 'Not valid command: ' + command)

    return msg_obj

def send_keys_and_check_message(argv, keys):
    keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
    write_debug_file(argv[0], keys_msg)

    print(keys_msg)
    sys.stdout.flush()

    input_str = ""
    while True:
        line = sys.stdin.readline()
        if line:
            input_str = line
            break

    try:
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        return OS_INVALID

    action = data.get("command")
    if action == "continue":
        return CONTINUE_COMMAND
    elif action == "abort":
        return ABORT_COMMAND
    else:
        write_debug_file(argv[0], "Invalid value of 'command'")
        return OS_INVALID

def secure_delete_file(filepath_str, ar_name):
    filepath = pathlib.Path(filepath_str)

    # Reject NTFS alternate data streams
    if '::' in filepath_str:
        raise Exception(f"Refusing to delete ADS or NTFS stream: {filepath_str}")

    # Reject symbolic links and reparse points
    if os.path.islink(filepath):
        raise Exception(f"Refusing to delete symbolic link: {filepath}")

    attrs = os.lstat(filepath).st_file_attributes
    if attrs & stat.FILE_ATTRIBUTE_REPARSE_POINT:
        raise Exception(f"Refusing to delete reparse point: {filepath}")

    resolved_filepath = filepath.resolve()

    # Ensure it's a regular file
    if not resolved_filepath.is_file():
        raise Exception(f"Target is not a regular file: {resolved_filepath}")

    # Perform deletion
    os.remove(resolved_filepath)

def main(argv):
    write_debug_file(argv[0], "Started")
    msg = setup_and_check_message(argv)

    if msg.command < 0:
        sys.exit(OS_INVALID)

    if msg.command == ADD_COMMAND:
        alert = msg.alert["parameters"]["alert"]
        keys = [alert["rule"]["id"]]
        action = send_keys_and_check_message(argv, keys)

        if action != CONTINUE_COMMAND:
            if action == ABORT_COMMAND:
                write_debug_file(argv[0], "Aborted")
                sys.exit(OS_SUCCESS)
            else:
                write_debug_file(argv[0], "Invalid command")
                sys.exit(OS_INVALID)

        try:
            file_path = alert["data"]["virustotal"]["source"]["file"]
            if os.path.exists(file_path):
                secure_delete_file(file_path, argv[0])
                write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
            else:
                write_debug_file(argv[0], f"File does not exist: {file_path}")
        except OSError as error:
            write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
        except Exception as e:
            write_debug_file(argv[0], f"{json.dumps(msg.alert)}: Error removing threat: {str(e)}")
    else:
        write_debug_file(argv[0], "Invalid command")

    write_debug_file(argv[0], "Ended")
    sys.exit(OS_SUCCESS)

if __name__ == "__main__":
    main(sys.argv)

The active response Python script handles the removal of the malicious file using the os.remove() function:

os.remove(msg.alert["parameters"]["alert"]["data"]["virustotal"]["source"]["file"])
  1. Download and install the latest version of Python with pip pre-installed. Then, select the following checkboxes during installation:
  • Use admin privileges when installing py.exe.
  • Add python.exe to PATH.

Note

This step is optional if Python is installed on the Windows endpoint.

  1. Run the following command with administrative privileges to install Pyinstaller using PowerShell:
> pip install -U pyinstaller
  1. Change to the directory where the Python script remove-threat.py is located and convert the file to an executable file with the following command:
> pyinstaller -F remove-threat.py
  1. Move the executable file, remove-threat.exe, from the \dist folder under your current working directory to the C:\Program Files (x86)\ossec-agent\active-response\bin folder.
  2. Restart the Wazuh agent to apply the changes by running the following PowerShell command as an administrator:
> Restart-Service -Name wazuh

Wazuh dashboard

Perform the following steps on the Wazuh dashboard to configure the Wazuh server to scan the Gunra ransomware executable files with VirusTotal:

  1. Click on the upper left menu ☰, navigate to Server management > Settings.
  2.  Click Edit configuration.
Wazuh-dashboard
  1. Append the configuration below to the file. Replace the <API_KEY> variable with your VirusTotal API key to scan the Gunra ransomware executable files with VirusTotal:. 
<ossec_config>
  <integration>
    <name>virustotal</name>
    <api_key><API_KEY></api_key> <!-- Replace with your VirusTotal API key -->
    <rule_id>554,550</rule_id>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>

The FIM rule IDs 554 and 550 detect file addition and modification events, respectively.

  1. Append the following configuration for the  Wazuh Active Response module to remove the malicious files. 
<ossec_config>
  <command>
    <name>remove-threat</name>
    <executable>remove-threat.exe</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>remove-threat</command>
    <location>local</location>
    <rules_id>87105</rules_id>
  </active-response>
</ossec_config>
  1. Click Save and Restart Manager to apply changes.
manager-configuration
  1. Click on the upper left menu , navigate to Server management > Rules > Manage rules files > Custom rules, and click the edit icon against the gunra_ransomware_rules.xml file.
  2. Copy the rule below and append it to the gunra_ransomware_rules.xml file to generate alerts when the Wazuh Active Response module successfully removes the malicious files. Click Save.
<group name="virustotal,">
  <rule id="100611" level="12">
    <if_sid>657</if_sid>
    <match>Successfully removed threat</match>
    <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>

  <rule id="100612" level="12">
    <if_sid>657</if_sid>
    <match>Error removing threat</match>
    <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>
</group>
gunra-ransomware-rules

Where:

  • Rule ID 100611 generates an alert when the Wazuh Active Response module successfully removes the Gunra ransomware.
  • Rule ID 100612 generates an alert when the Wazuh Active Response module fails to remove the Gunra ransomware.
  1. Click Reload to apply the changes.
gunra-ransomware-rules

Visualize results

When a variant of Gunra ransomware is downloaded to the victim’s Downloads folder, Wazuh generates alerts and promptly initiates an active response to remove the malicious file. The screenshot below shows that the Wazuh FIM module detects the file addition, which VirusTotal confirms as malicious, triggering Wazuh to take an automated response. Follow these steps to view these alerts:

  1. Navigate to Threat intelligence > Threat Hunting and click the Events tab.
  2. Click + Add filter. Then filter by rule.id.
  3. In the Operator field, select is one of.
  4. Filter for 100611, 100612, 553554,  550, and 87105 in the Values field.
  5. Click Save.
Figure 2 – Detection alerts generated on the Wazuh dashboard

Conclusion

Wazuh provides various capabilities for detecting and responding to malware. This blog post highlights how to detect Gunra ransomware activities on a monitored Windows endpoint with Wazuh. We integrated Sysmon with Wazuh to enrich logs from the infected endpoint and created Wazuh detection rules to identify malicious behaviour associated with Gunra ransomware. We also demonstrated how to use the Wazuh FIM and Active Response capabilities with VirusTotal integration to respond to threats.

Consult the Wazuh documentation to refine your setup or explore the capabilities of Wazuh.  Feel free to join our community, where our team and other Wazuh users are available to assist you with any questions related to Wazuh.

References