Gunra ransomware is a recently identified threat that has been observed targeting Windows endpoints across multiple industries worldwide, including manufacturing and energy sectors. Known for its encryption capabilities and exfiltration tactics, the ransomware follows a double-extortion model, encrypting victim data while simultaneously threatening to leak stolen information on its Tor-hosted leak site. Gunra’s malicious behavior includes enumerating running processes, deleting shadow copies through Windows Management Instrumentation (WMI), gathering system details, and detecting debuggers to evade analysis.
The Gunra ransomware has expanded attacks to healthcare, electronics, and beverage firms. Its new variant appends .encrt to files and drops r3adm3.txt ransom notes, warning victims their data is encrypted and stolen, with leaks threatened in five days. Victims are directed to a Tor-based portal for ransom negotiations, underscoring the group’s double-extortion tactics.
In this blog post, we illustrate how organizations can detect and respond to Gunra ransomware on infected Windows endpoints.
Gunra ransomware behavior
Gunra ransomware exhibits several behaviors when it infects a Windows endpoint. These behaviors include the following:
- The ransomware drops a ransom note file named “
R3ADM3.txt” in every directory where the ransomware encrypts files. - It encrypts the victim’s files and appends the extension “
.ENCRT” to them. - It deletes available shadow copies using both the Volume Shadow Copy Service (VSS) and Windows Management Instrumentation (WMI) to hinder recovery and restoration from backups.
- It attempts to stop or disable backup and AV-related services before mass encryption.
- It communicates via Tor portals to negotiate ransom and hide the attacker’s identity.
Analyzed samples
| Hash (SHA256) |
| a82e496b7b5279cb6b93393ec167dd3f50aff1557366784b25f9e51cb23689d9 |
| 854e5f77f788bbbe6e224195e115c749172cd12302afca370d4f9e3d53d005fd |
Infrastructure
We use the following infrastructure to demonstrate the detection of Gunra ransomware with Wazuh:
- A pre-built, ready-to-use Wazuh OVA 4.13.0, which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
- A Windows 11 victim endpoint with the Wazuh agent 4.13.0 installed and enrolled to the Wazuh server.
Detection with Wazuh
Configuration
We use Sysmon to enhance visibility into system events and create custom detection rules on the Wazuh server to identify the malicious behavior associated with Gunra ransomware.
Windows endpoint
Perform the following steps to configure the Wazuh agent to capture Sysmon events and send them to the Wazuh server for analysis.
1. Download Sysmon from the Microsoft Sysinternals page.
2. Extract the compressed Sysmon file to your preferred directory.
3. Download the Sysmon configuration file sysmonconfig.xml using PowerShell as an administrator. Replace <SYSMON_EXECUTABLE_PATH> with the directory path to your Sysmon executable.
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
4. Navigate to the folder containing the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
5. Add the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf file within the <ossec_config> block to capture and forward Sysmon event logs to the Wazuh server:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
6. Restart the Wazuh agent to apply the configuration changes:
> Restart-Service -Name wazuh
Wazuh dashboard
Perform the following steps on the Wazuh dashboard to configure the Wazuh server for Gunra ransomware detection.
Create custom rules
Perform the steps below on the Wazuh dashboard to create and configure custom rules for processing and monitoring logs generated from the Windows endpoint.
1. Navigate to Server management > Rules.
2. Click + Add new rules file.
3. Copy and paste the rules below and name the file gunra_ransomware_rules.xml. Click Save.
<group name="gunra,ransomware,">
<!-- Ransom note file creation -->
<rule id="100601" level="15" timeframe="100" frequency="2" ignore="100">
<if_sid>61613</if_sid>
<field name="win.eventdata.Image" type="pcre2">[^"]+\.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">[^"]*R3ADM3\.txt</field>
<description>Possible Gunra ransomware activity detected: Multiple ransom notes dropped in $(win.eventdata.targetFilename)</description>
<mitre>
<id>T1543.003</id>
<id>T1486</id>
</mitre>
</rule>
<!-- Antimalware Scan Interface Access Modification -->
<rule id="100602" level="7">
<if_sid>61609</if_sid>
<field name="win.eventdata.Image" type="pcre2">C:\\\\Windows\\\\System32\\\\VSSVC\.exe</field>
<field name="win.eventdata.ImageLoaded" type="pcre2">C:\\\\Windows\\\\System32\\\\amsi\.dll</field>
<description>Possible ransomware activity detected: Suspicious Volume Shadow copy Service (VSS) loaded amsi.dll for tampering and evasion attempt.</description>
<mitre>
<id>T1562</id>
<id>T1562.001</id>
</mitre>
</rule>
<rule id="100603" level="7">
<if_sid>61609</if_sid>
<field name="win.eventdata.Image" type="pcre2">(C:\\\\Windows\\\\SystemApps\\\\Microsoft\.Windows\.AppRep\.ChxApp_cw5n1h2txyewy\\\\CHXSmartScreen\.exe)</field>
<field name="win.eventdata.ImageLoaded" type="pcre2">C:\\\\Windows\\\\System32\\\\urlmon\.dll</field>
<description>Possible ransomware activity detected: Urlmon.dll was loaded, indicating network reconnaissance.</description>
<mitre>
<id>T1562.001</id>
</mitre>
</rule>
<!-- Volume Shadow copy Service (VSS) deletion -->
<rule id="100604" level="7">
<if_sid>60103</if_sid>
<field name="win.eventdata.targetUserName" type="pcre2">Backup Operators</field>
<field name="win.eventdata.targetSid" type="pcre2">S-1-5-32-551</field>
<field name="win.eventdata.callerProcessName" type="pcre2">C:\\\\Windows\\\\System32\\\\VSSVC\.exe</field>
<description>Possible Gunra ransomware activity detected: Volume Shadow copy Service (VSS) deletion attempts, gearing up to disable backups.</description>
<mitre>
<id>T1562</id>
<id>T1562.002</id>
</mitre>
</rule>
<rule id="100605" level="7">
<if_sid>60103</if_sid>
<field name="win.eventdata.targetUserName" type="pcre2">Administrators</field>
<field name="win.eventdata.targetSid" type="pcre2">S-1-5-32-544</field>
<field name="win.eventdata.callerProcessName" type="pcre2">C:\\\\Windows\\\\System32\\\\VSSVC\.exe</field>
<description>Possible Gunra ransomware activity detected: Volume Shadow copy Service (VSS) deletion shadow attempts, gearing to disable local admin accounts</description>
<mitre>
<id>T1562</id>
<id>T1562.002</id>
</mitre>
</rule>
</group>
Where:
- Rule ID
100601is triggered when a Gunra ransomware ransom noteR3ADM3.txtis created. - Rule ID
100602is triggered when a suspicious Volume Shadow Copy Service (VSS) loadsamsi.dllfor tampering and evasion attempts. - Rule ID
100603is triggered whenurlmon.dllis loaded, indicating network reconnaissance. - Rule ID
100604is triggered when Volume Shadow Copy Service (VSS) deletion is attempted, gearing up to disable backups. - Rule ID
100605is triggered when Volume Shadow Copy Service (VSS) deletion is attempted, gearing up to local admin accounts.
4. Click Reload to apply the changes.
Detection results
The alerts below are generated on the Wazuh dashboard when Gunra ransomware is executed on a Windows endpoint. Perform the following steps to view the alerts on the Wazuh dashboard.
1. Navigate to Agents management > Summary and select the Windows agent.
2. Click on Threat Hunting and select the Events tab.
3. Click + Add filter. Then filter for rule.groups in the Field field. Select is one of the Operator field.
4. Add the filters gunra and ransomware in the Values field.
5. Click Save.
VirusTotal integration
VirusTotal is a platform that aggregates multiple antivirus products and online scan engines to detect security threats. It provides an API that allows users to query URLs, IP addresses, domains, or file hashes for threat analysis. By integrating VirusTotal with Wazuh, you can configure Wazuh to automatically send file hashes of newly created or modified files on monitored endpoints to the VirusTotal API for real-time threat detection.
For this integration, we configure the Wazuh File Integrity Monitoring(FIM) module and VirusTotal to detect and scan files that are added or modified in specific directories on the Windows endpoint. Additionally, we configured the Wazuh Active Response module to delete the files that VirusTotal identifies as malicious automatically.
Windows endpoint
- Add the following configuration within the
<syscheck>block in theC:\Program Files (x86)\ossec-agent\ossec.conffile to monitor for changes. In this blog post, we configure the FIM module to monitor theDownloadsfolder for all users.
<directories realtime="yes">C:\Users\*\Downloads</directories>
- Restart the Wazuh agent to apply the changes by running the following PowerShell command as an administrator:
> Restart-Service -Name wazuh
Active Response Python script configuration
We create an active response script to remove any known variant of Gunra ransomware immediately after VirusTotal identifies it as a threat.
- Create a Wazuh Active Response script,
remove-threat.py, on the Windows endpoint with the following content:
| Warning: This script is a proof of concept (PoC). Review and validate it to ensure it meets the operational and security requirements of your environment |
# Copyright (C) 2015-2025, Wazuh Inc.
# All rights reserved.
import os
import sys
import json
import datetime
import stat
import tempfile
import pathlib
if os.name == 'nt':
LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
else:
LOG_FILE = "/var/ossec/logs/active-responses.log"
ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3
OS_SUCCESS = 0
OS_INVALID = -1
class message:
def __init__(self):
self.alert = ""
self.command = 0
def write_debug_file(ar_name, msg):
with open(LOG_FILE, mode="a") as log_file:
log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")
def setup_and_check_message(argv):
input_str = ""
for line in sys.stdin:
input_str = line
break
msg_obj = message()
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
msg_obj.command = OS_INVALID
return msg_obj
msg_obj.alert = data
command = data.get("command")
if command == "add":
msg_obj.command = ADD_COMMAND
elif command == "delete":
msg_obj.command = DELETE_COMMAND
else:
msg_obj.command = OS_INVALID
write_debug_file(argv[0], 'Not valid command: ' + command)
return msg_obj
def send_keys_and_check_message(argv, keys):
keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
write_debug_file(argv[0], keys_msg)
print(keys_msg)
sys.stdout.flush()
input_str = ""
while True:
line = sys.stdin.readline()
if line:
input_str = line
break
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
return OS_INVALID
action = data.get("command")
if action == "continue":
return CONTINUE_COMMAND
elif action == "abort":
return ABORT_COMMAND
else:
write_debug_file(argv[0], "Invalid value of 'command'")
return OS_INVALID
def secure_delete_file(filepath_str, ar_name):
filepath = pathlib.Path(filepath_str)
# Reject NTFS alternate data streams
if '::' in filepath_str:
raise Exception(f"Refusing to delete ADS or NTFS stream: {filepath_str}")
# Reject symbolic links and reparse points
if os.path.islink(filepath):
raise Exception(f"Refusing to delete symbolic link: {filepath}")
attrs = os.lstat(filepath).st_file_attributes
if attrs & stat.FILE_ATTRIBUTE_REPARSE_POINT:
raise Exception(f"Refusing to delete reparse point: {filepath}")
resolved_filepath = filepath.resolve()
# Ensure it's a regular file
if not resolved_filepath.is_file():
raise Exception(f"Target is not a regular file: {resolved_filepath}")
# Perform deletion
os.remove(resolved_filepath)
def main(argv):
write_debug_file(argv[0], "Started")
msg = setup_and_check_message(argv)
if msg.command < 0:
sys.exit(OS_INVALID)
if msg.command == ADD_COMMAND:
alert = msg.alert["parameters"]["alert"]
keys = [alert["rule"]["id"]]
action = send_keys_and_check_message(argv, keys)
if action != CONTINUE_COMMAND:
if action == ABORT_COMMAND:
write_debug_file(argv[0], "Aborted")
sys.exit(OS_SUCCESS)
else:
write_debug_file(argv[0], "Invalid command")
sys.exit(OS_INVALID)
try:
file_path = alert["data"]["virustotal"]["source"]["file"]
if os.path.exists(file_path):
secure_delete_file(file_path, argv[0])
write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
else:
write_debug_file(argv[0], f"File does not exist: {file_path}")
except OSError as error:
write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
except Exception as e:
write_debug_file(argv[0], f"{json.dumps(msg.alert)}: Error removing threat: {str(e)}")
else:
write_debug_file(argv[0], "Invalid command")
write_debug_file(argv[0], "Ended")
sys.exit(OS_SUCCESS)
if __name__ == "__main__":
main(sys.argv)
The active response Python script handles the removal of the malicious file using the os.remove() function:
os.remove(msg.alert["parameters"]["alert"]["data"]["virustotal"]["source"]["file"])
- Download and install the latest version of Python with pip pre-installed. Then, select the following checkboxes during installation:
- Use admin privileges when installing py.exe.
- Add python.exe to PATH.
Note
This step is optional if Python is installed on the Windows endpoint.
- Run the following command with administrative privileges to install
Pyinstallerusing PowerShell:
> pip install -U pyinstaller
- Change to the directory where the Python script
remove-threat.pyis located and convert the file to an executable file with the following command:
> pyinstaller -F remove-threat.py
- Move the executable file,
remove-threat.exe, from the\distfolder under your current working directory to theC:\Program Files (x86)\ossec-agent\active-response\binfolder. - Restart the Wazuh agent to apply the changes by running the following PowerShell command as an administrator:
> Restart-Service -Name wazuh
Wazuh dashboard
Perform the following steps on the Wazuh dashboard to configure the Wazuh server to scan the Gunra ransomware executable files with VirusTotal:
- Click on the upper left menu ☰, navigate to Server management > Settings.
- Click Edit configuration.
- Append the configuration below to the file. Replace the
<API_KEY>variable with your VirusTotal API key to scan the Gunra ransomware executable files with VirusTotal:.
<ossec_config>
<integration>
<name>virustotal</name>
<api_key><API_KEY></api_key> <!-- Replace with your VirusTotal API key -->
<rule_id>554,550</rule_id>
<alert_format>json</alert_format>
</integration>
</ossec_config>
The FIM rule IDs 554 and 550 detect file addition and modification events, respectively.
- Append the following configuration for the Wazuh Active Response module to remove the malicious files.
<ossec_config>
<command>
<name>remove-threat</name>
<executable>remove-threat.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>remove-threat</command>
<location>local</location>
<rules_id>87105</rules_id>
</active-response>
</ossec_config>
- Click Save and Restart Manager to apply changes.
- Click on the upper left menu ☰, navigate to Server management > Rules > Manage rules files > Custom rules, and click the edit icon against the
gunra_ransomware_rules.xmlfile. - Copy the rule below and append it to the
gunra_ransomware_rules.xmlfile to generate alerts when the Wazuh Active Response module successfully removes the malicious files. Click Save.
<group name="virustotal,">
<rule id="100611" level="12">
<if_sid>657</if_sid>
<match>Successfully removed threat</match>
<description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
</rule>
<rule id="100612" level="12">
<if_sid>657</if_sid>
<match>Error removing threat</match>
<description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
</rule>
</group>
Where:
- Rule ID
100611generates an alert when the Wazuh Active Response module successfully removes the Gunra ransomware. - Rule ID
100612generates an alert when the Wazuh Active Response module fails to remove the Gunra ransomware.
- Click Reload to apply the changes.
Visualize results
When a variant of Gunra ransomware is downloaded to the victim’s Downloads folder, Wazuh generates alerts and promptly initiates an active response to remove the malicious file. The screenshot below shows that the Wazuh FIM module detects the file addition, which VirusTotal confirms as malicious, triggering Wazuh to take an automated response. Follow these steps to view these alerts:
- Navigate to Threat intelligence > Threat Hunting and click the Events tab.
- Click + Add filter. Then filter by
rule.id. - In the Operator field, select
is one of. - Filter for
100611,100612,553,554,550, and87105in the Values field. - Click Save.
Conclusion
Wazuh provides various capabilities for detecting and responding to malware. This blog post highlights how to detect Gunra ransomware activities on a monitored Windows endpoint with Wazuh. We integrated Sysmon with Wazuh to enrich logs from the infected endpoint and created Wazuh detection rules to identify malicious behaviour associated with Gunra ransomware. We also demonstrated how to use the Wazuh FIM and Active Response capabilities with VirusTotal integration to respond to threats.
Consult the Wazuh documentation to refine your setup or explore the capabilities of Wazuh. Feel free to join our community, where our team and other Wazuh users are available to assist you with any questions related to Wazuh.